John,
On 23-12-16 17:10, John Comfort via dmarc-discuss wrote:
Maybe it is time to rethink this, or open a more official dialogue. I
understand folks don't want to send reports. I understand the privacy
issue. However, without these reports, or at least *some* information
sent regarding the unaligned emails, we are at an impasse to migrating
to a 'reject'. For certain environments (e.g. financial), we cannot
reject *any* legitimate emails and therefore require verification of
all emails that are rejected.
I would be perfectly fine with limiting the information if people are
really that paranoid about header information.
Please don't call this paranoid. See [1] for an example of what metadata
can disclose. I also note that yesterday the European court of justice
ruled that indiscriminate collection of emails is illegal [2]. This
ruling refers to the the 'DIRECTIVE 2006/24/EC OF THE EUROPEAN
PARLIAMENT AND OF THE COUNCIL' [3]. This 2006 EU Directive was not about
storing contents of messages, but about the collection and storage of
metadata in relation to telecom- and data communication including e-mail
communication. As you can see from article 93 of yesterdays ruling, the
Court sees privacy as a fundamental right. Let me also quote article 99
from the ruling:
That data, taken as a whole, is liable to allow very precise
conclusions to be drawn concerning the private lives of the persons
whose data has been retained, such as everyday habits, permanent or
temporary places of residence, daily or other movements, the
activities carried out, the social relationships of those persons and
the social environments frequented by them (see, by analogy, in
relation to Directive 2006/24, the /Digital Rights judgment/,
paragraph 27). In particular, that data provides the means, as
observed by the Advocate General in points 253, 254 and 257 to 259 of
his Opinion, of establishing a profile of the individuals concerned,
information that is no less sensitive, having regard to the right to
privacy, than the actual content of communications.
As John (Levine) already said:
"[...] the privacy issues are just as bad with the headers."
For example: date, receiving server information, originating smtp
server sender, and subject line. This would be a good start at least.
Except for the subject line, this is precisely the information the EU
wanted to enforce the Internet providers to collect and retain and what
they no longer may do.
Let's make DMARC powerful and efficient instead of a "cool idea".
Now that more and more people become aware of the pricacy nightmare
we're in, it is time to rethink this and try to concentrate on DKIM and
ARC and focus on reputation instead of 'p=reject' (which has caused the
need to get these reports).
/rolf
[1] https://labs.rs/en/metadata
[2]
http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d0f130d62f596fa649ac47c69269818d1dc7ebbd.e34KaxiLc3eQc40LaxqMbN4PahaOe0?text=&docid=186492&pageIndex=0&doclang=EN&mode=req&dir=&occ=first&part=1&cid=929206
[3]
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054:0063:EN:PDF
_______________________________________________
dmarc-discuss mailing list
dmarc-discuss@dmarc.org
http://www.dmarc.org/mailman/listinfo/dmarc-discuss
NOTE: Participating in this list means you agree to the DMARC Note Well terms
(http://www.dmarc.org/note_well.html)