Murray S. Kucherawy wrote:
Martin Rex <mrex(_at_)sap(_dot_)com> wrote:
The main problem that I have is DMARC, is that the approach is
technically and morally wrong, and legally prohibited (=criminal)
in properly civilized countries.
Could you elaborate on why to the two "wrong" assertions?
And DMARC reporting needs to be killed.
Could you elaborate on why? I only ask because some operators think the
reporting is actually the more valuable thing DMARC has to offer, and you
seem to have different information.
The issuer of a DMARC policy (who publishes the DNS records) is
a legal third party to the transfer of an EMail message from an SMTP sender
to an SMTP receiver. Revealing information about communication between
two parties (including unsuccessful communication attempts) to an outside
third party (such as a "domain owner who issues DMARC policy records") is
unconditionally illegal for telecommunications service providers.
Looking at the communication contents will also close to always be illegal.
The telecommunication service provider is only entitled to process the
"traffic data", which in case of SMTP EMail is strictly limited to the
IP addresses and TCP ports of the communication peers _plus_ the SMTP
Envelope (aka MAIL FROM: and RCPT TO:), the rfc5322-From: is part of
the communication content and off-limits to the telecommunication service
provider. Processing of the contents for any other purpose than what is
necessary for transfering the bits from sender to receiver will be
unconditionally illegal, collecting such data and reporting it to an
outside third party doubly so.
The issue is the complete incompatibility of DMARC with the core principle
of the fundamental Human Right on confidential communication. This
fundamental right is spelled out in the German constitution (Art. 10 Abs. 1 GG)
and it is also part of the the European Convention on Human Rights
(Article 8 (1.)) as interpreted by the European Court of Human Rights
and confirmed in a recent decision of the European Court of Justice.
By being part of the constitution (Germany) or of a Constitution-Like
Fundamental Right (EU Convention of Human Rights after the Treaty of Lisbon),
the core principle of Communication Confidentiality is even sacrosanct from
national legislation or EU member states (something that the
constitution-less UK seems to currently struggle with and which
probably voids parts of their rushed UK DRIP bill).
Maybe a quick glance at the EU Directive 2002/58/EC from 10-Jul-2002 helps:
http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32002L0058&from=EN
from Article 5 "Confidentiality of the Communications" (page 7 of above PDF):
1. Member States shall ensure the confidentiality of commu-
nications and the related traffic data by means of a public
communications network and publicly available electronic
communications services, through national legislation. In parti-
cular, they shall prohibit listening, tapping, storage or other
kinds of interception or surveillance of communications and
the related traffic data by persons other than users, without the
consent of the users concerned, except when legally authorised
to do so in accordance with Article 15(1).
This "Member States shall ensure ..." and "they shall prohibit..."
means that there ought to exist, by now, criminal statutes in every
EU member states for violation of communication confidentiality.
In German national law, its "a fine or prison term of up to 5 years"
for telecommunication service providers, and the definition of the
latter includes all employers and organizations running organzational
telecommunication systems/networks (phone, mail, chat, InternetAccess, etc.)
The key issue is the legal definitions of "user", "communication"
and "traffic data" and this is where the EU is aeons ahead of the US.
"traffic data" is what the USG derogatively calls "metadata" or
"business records". In the EU, the "traffic data" is part of the
communication and subject to the same protections. This includes
traffic data about unsuccessful communication attempts.
Article 2 "Definitions" of this EU directive (page 7 of above PDF)
The following definitions shall also apply:
(a) "user" means any natural person using a publicly available
electronic communications service, for private or business
purposes, without necessarily having subscribed to this
service;
(b) "traffic data" means any data processed for the purpose of
the conveyance of a communication on an electronic
communications network or for the billing thereof;
(c) "location data" means any data processed in an electronic
communications network, indicating the geographic posi-
tion of the terminal equipment of a user of a publicly avail-
able electronic communications service;
(d) "communication" means any information exchanged or
conveyed between a finite number of parties by means of a
publicly available electronic communications service. This
does not include any information conveyed as part of a
broadcasting service to the public over an electronic
communications network except to the extent that the
information can be related to the identifiable subscriber or
user receiving the information;
(e) "call" means a connection established by means of a publicly
available telephone service allowing two-way communica-
tion in real time;
(f) "consent" by a user or subscriber corresponds to the data
subject's consent in Directive 95/46/EC;
(g) "value added service" means any service which requires the
processing of traffic data or location data other than traffic
data beyond what is necessary for the transmission of a
communication or the billing thereof;
(h) "electronic mail" means any text, voice, sound or image
message sent over a public communications network which
can be stored in the network or in the recipient's terminal
equipment until it is collected by the recipient.
-Martin