Re: [Shutup] Proposed Charter for the "SMTP Headers Unhealthy To User Privacy" WG

[Chris Lewis <ietf@mustelids.ca>]

On 12/06/2015 04:10 PM, Martijn Grooten wrote:
> On Sun, Dec 06, 2015 at 02:59:54PM -0500, Chris Lewis wrote:
>> I was never so glad as to see something as the wide-scale deployment
>> of callerid a few years later.
>
> But for Caller ID to work in cases like the one you describe, you
> wouldn't need to know the phone number (which often includes the
> location) of the caller; a "cryptographic blob" identifying their phone
> line would suffice.

The proper analog is "Call Trace".  You dial a * code, and the calling 
number gets recorded by the telco, but it can only be retrieved via a LE 
process (I do not believe it requires a full search warrant, but, 
joe-blow citizen certainly can't get it).  It cannot be disabled (but 
presumably spoofable) by the caller.

> I am not a lawyer, but I believe IP addresses are considered personal
> data in some countries; the European Court of Justice is currently
> looking into the issue. I don't think it's impossible for a court to
> decide that because of this, providers should strip (submission) IP
> addresses from emails.

Anything's possible.  What's also possible that when presented in its 
entirety, a court may still agree that the operational/other benefits of 
providing them in this case outweighs the potential risk.  Nothing is an 
absolute.  There are always edge cases where informed judgment is 
required, and you rely on courts and judges to provide guidance through 
precedent.

What I also know is that when asked, regulators over here in PIPEDA land 
are most emphatic in saying that IP addresses are not PII.  And this 
_includes_ the Privacy Commissioner.

> Or perhaps one of the many tracking companies is already using this to
> correlate emails sent to website visits. This could lead to outrage
> among privacy activists and a call for providers to strip submission IP
> addresses.

That's in part why we have governments - to prevent public panics of the 
uninformed driving public policy.

We had one when callerid happened.  Callerid got "fixed" not killed.

We had one when the newspaper stories about the leaks (that ultimately 
led to the Commission I was a member of).  They were (mostly) bogus. 
But we fixed the problems that were really there and weren't in the 
newspaper stories.

We have a panic _now_.  How would you feel about security/privacy policy 
being driven by Trump and his followers?  If that doesn't scare you, it 
should.

What would really be fascinating is to get one or more people highly 
respected in their knowledge of the law, public policy and privacy to 
take on the question of passing through SUBMIT addresses.  Bring out all 
the pros and cons.  Put it on trial as it were.

> I do think the proposed charter is a bit too strong on the need to
> remove headers which, given comments here, probably isn't very helpful.
> I would be in favour of a more open-minded charter, but I do think there
> is a need for a WG like this one.

I agree, but the WG charter is too strong on the mechanics of "how" and 
has nothing at all on the mechanics of "will it do anything?" and the 
real downsides.  The charter needs to be expanded, and the WG work begun.

Perhaps one of the most important things in the WG is to decide whether 
the output is a document, and whether the document is an informational, 
a BCP or standard or STD.  My current thinking is that we're going to 
hit BCP at best.

An alternate approach occured to me - rather than trying to defacto 
impose it everywhere (which is sorta what the existing documentation is 
pushing towards), what about some sort of informational/BCP or even full 
RFC defining a "privacy enhanced interface" and outline what it needs to 
do w.r.t. email, and other service privacy?  Existing environments could 
make it an option, makes an opportunity for niche providers, and 
describes in concrete terms what it needs to do?