Murray S. Kucherawy wrote: > Martin Rex <mrex@xxxxxxx> wrote: >> >> The main problem that I have is DMARC, is that the approach is >> technically and morally wrong, and legally prohibited (=criminal) >> in properly civilized countries. > > Could you elaborate on why to the two "wrong" assertions? > >> And DMARC reporting needs to be killed. > > Could you elaborate on why? I only ask because some operators think the > reporting is actually the more valuable thing DMARC has to offer, and you > seem to have different information. The issuer of a DMARC policy (who publishes the DNS records) is a legal third party to the transfer of an EMail message from an SMTP sender to an SMTP receiver. Revealing information about communication between two parties (including unsuccessful communication attempts) to an outside third party (such as a "domain owner who issues DMARC policy records") is unconditionally illegal for telecommunications service providers. Looking at the communication contents will also close to always be illegal. The telecommunication service provider is only entitled to process the "traffic data", which in case of SMTP EMail is strictly limited to the IP addresses and TCP ports of the communication peers _plus_ the SMTP Envelope (aka MAIL FROM: and RCPT TO:), the rfc5322-From: is part of the communication content and off-limits to the telecommunication service provider. Processing of the contents for any other purpose than what is necessary for transfering the bits from sender to receiver will be unconditionally illegal, collecting such data and reporting it to an outside third party doubly so. The issue is the complete incompatibility of DMARC with the core principle of the fundamental Human Right on confidential communication. This fundamental right is spelled out in the German constitution (Art. 10 Abs. 1 GG) and it is also part of the the European Convention on Human Rights (Article 8 (1.)) as interpreted by the European Court of Human Rights and confirmed in a recent decision of the European Court of Justice. By being part of the constitution (Germany) or of a Constitution-Like Fundamental Right (EU Convention of Human Rights after the Treaty of Lisbon), the core principle of Communication Confidentiality is even sacrosanct from national legislation or EU member states (something that the constitution-less UK seems to currently struggle with and which probably voids parts of their rushed UK DRIP bill). Maybe a quick glance at the EU Directive 2002/58/EC from 10-Jul-2002 helps: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32002L0058&from=EN from Article 5 "Confidentiality of the Communications" (page 7 of above PDF): 1. Member States shall ensure the confidentiality of commu- nications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In parti- cular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This "Member States shall ensure ..." and "they shall prohibit..." means that there ought to exist, by now, criminal statutes in every EU member states for violation of communication confidentiality. In German national law, its "a fine or prison term of up to 5 years" for telecommunication service providers, and the definition of the latter includes all employers and organizations running organzational telecommunication systems/networks (phone, mail, chat, InternetAccess, etc.) The key issue is the legal definitions of "user", "communication" and "traffic data" and this is where the EU is aeons ahead of the US. "traffic data" is what the USG derogatively calls "metadata" or "business records". In the EU, the "traffic data" is part of the communication and subject to the same protections. This includes traffic data about unsuccessful communication attempts. Article 2 "Definitions" of this EU directive (page 7 of above PDF) The following definitions shall also apply: (a) "user" means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service; (b) "traffic data" means any data processed for the purpose of the conveyance of a communication on an electronic communications network or for the billing thereof; (c) "location data" means any data processed in an electronic communications network, indicating the geographic posi- tion of the terminal equipment of a user of a publicly avail- able electronic communications service; (d) "communication" means any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service. This does not include any information conveyed as part of a broadcasting service to the public over an electronic communications network except to the extent that the information can be related to the identifiable subscriber or user receiving the information; (e) "call" means a connection established by means of a publicly available telephone service allowing two-way communica- tion in real time; (f) "consent" by a user or subscriber corresponds to the data subject's consent in Directive 95/46/EC; (g) "value added service" means any service which requires the processing of traffic data or location data other than traffic data beyond what is necessary for the transmission of a communication or the billing thereof; (h) "electronic mail" means any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient. -Martin