In hindsight, it looks a bit strange to have the first paragraph say "don't worry about PII" and the next paragraph say "if you're worried about PII, here's how to mitigate".
But it's a genuine concern (misguided or not) and I've been in enough meetings to at least understand where it comes from, even if I don't agree. So I'd propose something like the below, which I think gets across what we all want to say. ======= Aggregate feedback reports contain anonymized data relating to messages purportedly originating from the Domain Owner. The data does not contain any identifying characteristics about individual senders or receivers. No personal information such as individual email addresses, IP addresses of individuals, or the content of any messages, is included in reports. Mail Receivers should have no concerns in sending reports as they do not contain personal information. In all cases, the data within the reports relates to the authentication information provided by mail servers sending messages on behalf of the Domain Owner. This information is necessary to assist Domain Owners in implementing and maintaining DMARC. Domain Owners should have no concerns in receiving reports as they do not contain personal information. The reports only contain aggregated anonymized data related to the authentication details of messages claiming to originate from their domain. This information is essential for the proper implementation and operation of DMARC. Domain Owners who are unable to receive reports for organizational reasons, can choose to exclusively direct the reports to an external processor. ======= And, I agree - it's a bit weird to be okay with having a policy to not see your own reports. But the "see no evil, hear no evil" risk mitigation strategy is tried and tested. The whole IG/DPO space is really crazy in some places too. Ken. > -----Original Message----- > From: John Levine <[email protected]> > Sent: Thursday 18 February 2021 02:46 > To: [email protected] > Cc: Ken O'Driscoll <[email protected]> > Subject: Re: [dmarc-ietf] Ticket #64 - Contained Data PII Concerns > > In article > <vi1pr01mb70538541d7ade18a555b05d6c7...@vi1pr01mb7053.eurprd01.prod.exch > angelabs.com> you write: > >Aggregate feedback reports are essential for the proper implementation > >and operation of DMARC. Domain Owners can choose to exclusively direct > >reports to a processor external to their organization. In such cases, > the content of the reports are never sent directly to the Domain Owner. > > That is OK but I would also want to point out that the data are > aggregated and contain no individual e-mail addresses of senders or > recipients, nor IP addresses of individuals nor any contents of > messages, so it is unlikely that they contain any PII. > > I have to say it seems weird to me that it's OK to send whatever to > external places but not to your own staff. > > R's, > John _______________________________________________ dmarc mailing list [email protected] https://www.ietf.org/mailman/listinfo/dmarc
