In article <caozaafnugvrijfjhqco_3phg_pajfjscomr8zjbzcl9_ucy...@mail.gmail.com> you write: >For this ticket in particular-- the simplified failure report with only >from: and to: addresses speaks to Jesse's exact use case, without any of >the other PII that tends to get failure reports in privacy trouble (like >body content and attachments). This approach to Jesse's use case should get >a fair discussion, separate from whether we want failure reports at all.
Having sat in on far too many GDPR discussions, I'm sure that the To and From addresses are exactly the kind of PII that makes lawyers nervous. Keep in mind that there is no guarantee that the entitity getting the reports has any responsibility for either, particularly if a third party is collecting the reports. I don't think this group has any particular expertise in the issues that are likely to make organizations decide whether there is legal risk in sending the reports and whether and how much to redact them. I would leave whole ruf section alone other than perhaps making clearer that the reports are optional and it may be useful to send even if they are heavily redacted. As an example, a report with the Message-ID but no To or From might still be enough for the report recipient to figure out where a message came from while not disclosing any PII. R's, John _______________________________________________ dmarc mailing list dmarc@ietf.org https://www.ietf.org/mailman/listinfo/dmarc
