Re: Use of information collected from problem reporting addresses for marketing?
On Wednesday, June 3, 2020 at 2:38:33 AM UTC+1, Benjamin Seidenberg wrote: > Greetings: > > Today, I received a marketing email from one of the CAs in Mozilla's > program (Sectigo). As far as I know, the only interactions I've ever had > with this CA where they would have gotten my name and email address would > be from me submitting problem reports to them (for compromised private > keys). Therefore, I can only assume that they mined their problem report > submissions in order to generate their marketing contact lists. > > This leads to two questions: > > 1.) Is anyone aware of any policies that speak to this practice? I'm not > aware of anything in the BRs or Mozilla policy that speak to this, but > there are many other standards, documents, audit regimes, etc., which are > incorporated by reference that I am not familiar with, and so it's possible > one of them has something to say on this issue. > > 2.) While I felt like this practice (if it happened the way I assumed) is > inappropriate, is there a consensus from others that that is the case? If > so, is there any interest in adding requirements to Mozilla's Policy about > handling of information from problem reports received by CAs? > > I do recall a discussion a while back on this list where a reporter had > their information forwarded on to the certificate owner and got > unpleasant emails in response and was asking whether the CAs were obligated > to protect the identity of the reporters, but I don't recall any > conclusions being reached. > > Good Day, > Benjamin Benjamin, Ryan, Apologies. Both of your email addresses did have a message sent to you from Sectigo in the past day or two regarding an upcoming webinar, which should not have been sent to you. Both of your contacts were within our centralised ticketing and CRM system from your previous abuse reports. A subset of users in the group for certificate and malware abuse were incorrectly contacted. We have now marked all contact addresses who have submitted certificate and malware abuse reports as opt-out, and this will cover new reports going forward. I believe at least Benjamin followed the opt-out link, which we have already taken action on. Apologies once again - we do not wish for this to discourage the abuse reports we receive from the community. Thanks, Nick ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Use of information collected from problem reporting addresses for marketing?
As already said, this is purely about personal data processing, so the relevant regulation applies. I don't see need for the Root Programs to deal with this, as compliance with privacy regulations is already a requisite for Webtrust and other audits. In countries affected by GDPR, which is the one I'm more familiar, incorporating in a DB the email address and use it for unsolicited email wouldn't be permitted. This would be OK only if the contact comes from a web form where the sender can see the privacy notice and explicitly accepts been contacted for marketing purposes. Implicit consent is not allowed anymore. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Use of information collected from problem reporting addresses for marketing?
On Tue, Jun 2, 2020 at 10:25 PM Paul Walsh via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > I dislike being added to lists as much as the next person. There are > numerous reasons for what might have happened. Had you setup an address for > the purpose of contacting them, or any other company, you’d know for sure. > > My personal approach would be to ask them before emailing the list. And > I’m not pointing the finger because you decided to email the list :)) > > I’ve received some unsolicited emails from people here, but I’m lucky > because I appreciated each one - but they weren’t marketing emails. > > - Paul > > > >> On Jun 2, 2020, at 6:38 PM, Benjamin Seidenberg via dev-security-policy > wrote: > > Greetings: > > > > Today, I received a marketing email from one of the CAs in Mozilla's > > program (Sectigo). As far as I know, the only interactions I've ever had > > with this CA where they would have gotten my name and email address would > > be from me submitting problem reports to them (for compromised private > > keys). Therefore, I can only assume that they mined their problem report > > submissions in order to generate their marketing contact lists. As did I, not having done any business with Sectigo, on my personal email, which I’ve only ever used for problem reporting with them. > > > > This leads to two questions: > > > > 1.) Is anyone aware of any policies that speak to this practice? I'm not > > aware of anything in the BRs or Mozilla policy that speak to this, but > > there are many other standards, documents, audit regimes, etc., which are > > incorporated by reference that I am not familiar with, and so it's > possible > > one of them has something to say on this issue. > I’m not aware of any, although it seems a rather brazen and distasteful practice. > > > 2.) While I felt like this practice (if it happened the way I assumed) is > > inappropriate, is there a consensus from others that that is the case? If > > so, is there any interest in adding requirements to Mozilla's Policy > about > > handling of information from problem reports received by CAs? I think something more concrete is useful here before contemplating. I’m supportive of policies preventing such crass usages, but I’m worried CAs already take very liberal interpretations of things to be kept private in order to avoid transparency, and this might further embolden such shenanigans. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Use of information collected from problem reporting addresses for marketing?
On Tue, Jun 02, 2020 at 06:38:12PM -0700, Benjamin Seidenberg via dev-security-policy wrote: > Today, I received a marketing email from one of the CAs in Mozilla's > program (Sectigo). As far as I know, the only interactions I've ever had > with this CA where they would have gotten my name and email address would > be from me submitting problem reports to them (for compromised private > keys). Therefore, I can only assume that they mined their problem report > submissions in order to generate their marketing contact lists. I've sent several hundred certificate problem reports to a number of CAs in the past few months, and I'm yet to get marketing spam from Sectigo as a result. I have had one (suspected) scrape-from-problem-report incident from a different CA, but I can't be 100% sure, since I was at that time still sending out problem reports from my personal address. I now use per-report plus-addressed addresses that go to a dedicated account -- its possible that the spamcannons don't recognise + as a valid local-part character, though. > 1.) Is anyone aware of any policies that speak to this practice? I'm not > aware of anything in the BRs or Mozilla policy that speak to this, but > there are many other standards, documents, audit regimes, etc., which are > incorporated by reference that I am not familiar with, and so it's possible > one of them has something to say on this issue. No, I am not aware of anything specific to CAs/PKIs that would prohibit such a practice. You'd need to fall back to general data-handling legislation like GDPR, California's new statute, and so on (as relevant to your jurisdiction). > 2.) While I felt like this practice (if it happened the way I assumed) is > inappropriate, is there a consensus from others that that is the case? If > so, is there any interest in adding requirements to Mozilla's Policy about > handling of information from problem reports received by CAs? It's certainly dumb as rocks, because the sort of people who are reporting problems to CAs are not, by and large, the sort of people who are going to be purchasing managers for things like managed PKI, and those same people are also probably going to be the sort of people who are not fans of getting spammed. However, Rule 1, I believe, is that spammers are dumb. If they weren't, they wouldn't scrape whois data for abuse reporting addresses... As far as making requirements in Mozilla Policy, I have my doubts that it'd really fly. As you note, the far more risky problem of having problem reporters exposed to potential unpleasantness from incompetent subscribers being unhappy at the wrong people: > I do recall a discussion a while back on this list where a reporter had > their information forwarded on to the certificate owner and got > unpleasant emails in response and was asking whether the CAs were obligated > to protect the identity of the reporters, but I don't recall any > conclusions being reached. was not conclusively addressed, and so I doubt there would be much interest in a rule that said "thou shalt not spam people who report problems". For all those reasons and more, I've switched to a separate e-mail account and per-reort addresses -- no (obvious) human to threaten with spurious lawsuits, and if I get spam it's blindingly obvious where it came from. The automated reporting system I've setup also watches OCSP for revocation times and keeps full and complete records of all correspondence and timestamps, so I can tell exactly what (for example) the reporting timeframes were, and whether the BR requirements were met. On that front, actually, would it be of any use to you (or others) if there was a way to route your problem reports through my Revokinator system? It'd give you some amount of protection against spam and the such like, and built-in OCSP / revocation time tracking. - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Use of information collected from problem reporting addresses for marketing?
I dislike being added to lists as much as the next person. There are numerous reasons for what might have happened. Had you setup an address for the purpose of contacting them, or any other company, you’d know for sure. My personal approach would be to ask them before emailing the list. And I’m not pointing the finger because you decided to email the list :)) I’ve received some unsolicited emails from people here, but I’m lucky because I appreciated each one - but they weren’t marketing emails. - Paul >> On Jun 2, 2020, at 6:38 PM, Benjamin Seidenberg via dev-security-policy >> wrote: > Greetings: > > Today, I received a marketing email from one of the CAs in Mozilla's > program (Sectigo). As far as I know, the only interactions I've ever had > with this CA where they would have gotten my name and email address would > be from me submitting problem reports to them (for compromised private > keys). Therefore, I can only assume that they mined their problem report > submissions in order to generate their marketing contact lists. > > This leads to two questions: > > 1.) Is anyone aware of any policies that speak to this practice? I'm not > aware of anything in the BRs or Mozilla policy that speak to this, but > there are many other standards, documents, audit regimes, etc., which are > incorporated by reference that I am not familiar with, and so it's possible > one of them has something to say on this issue. > > 2.) While I felt like this practice (if it happened the way I assumed) is > inappropriate, is there a consensus from others that that is the case? If > so, is there any interest in adding requirements to Mozilla's Policy about > handling of information from problem reports received by CAs? > > I do recall a discussion a while back on this list where a reporter had > their information forwarded on to the certificate owner and got > unpleasant emails in response and was asking whether the CAs were obligated > to protect the identity of the reporters, but I don't recall any > conclusions being reached. > > Good Day, > Benjamin > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Use of information collected from problem reporting addresses for marketing?
Greetings: Today, I received a marketing email from one of the CAs in Mozilla's program (Sectigo). As far as I know, the only interactions I've ever had with this CA where they would have gotten my name and email address would be from me submitting problem reports to them (for compromised private keys). Therefore, I can only assume that they mined their problem report submissions in order to generate their marketing contact lists. This leads to two questions: 1.) Is anyone aware of any policies that speak to this practice? I'm not aware of anything in the BRs or Mozilla policy that speak to this, but there are many other standards, documents, audit regimes, etc., which are incorporated by reference that I am not familiar with, and so it's possible one of them has something to say on this issue. 2.) While I felt like this practice (if it happened the way I assumed) is inappropriate, is there a consensus from others that that is the case? If so, is there any interest in adding requirements to Mozilla's Policy about handling of information from problem reports received by CAs? I do recall a discussion a while back on this list where a reporter had their information forwarded on to the certificate owner and got unpleasant emails in response and was asking whether the CAs were obligated to protect the identity of the reporters, but I don't recall any conclusions being reached. Good Day, Benjamin ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
