On 16-03-18 10:47, Steven M Jones wrote:
On 3/15/18 10:19 AM, Kurt Andersen (b) wrote:
Two more items for discussion (coming from a chat that I had with
some of the NCSC folks today):
Thanks for sharing their input.
* Creating a diagnostic report that would have some additional
information (such as sending address) and URLs without going
quite as far as a forensic report - so something between the
aggregate and forensic levels
I'm probably missing something, but -- aren't email addresses usually
classed as PII in the EU, whether they're sending or receiving at the
moment? Seems to me it would run afoul of the privacy regs that tend
to rule out forensic reports in certain jurisdictions...
Maybe there's a batch/aggregate angle vs. per-message that helps
avoid that concern? Would time and URLs alone be useful enough to
warrant the effort and expense?
Well, given the upcoming GDPR legislation and the sanctions that comes
with it [1], maybe an agenda item 'DMARC reports and privacy' would be a
good point. Ideally we would like to have someone present with both GDPR
and DMARC knowledge...
/rolf
[1] https://www.itgovernance.co.uk/dpa-and-gdpr-penalties
_______________________________________________
dmarc mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dmarc
