[feedback-report] On redacting data from ARF messages

Todd Herr therr at postmaster.rr.com
Mon Dec 28 06:02:19 PST 2009 

On Sun, Dec 27, 2009 at 10:03:11PM -0800, Murray S. Kucherawy wrote:
> In starting to edit the ARF draft per the proposed charter, I think 
> the ARF spec should say something about the practice of redacting 
> portions of a message about which an ARF message is being generated.  
> I know there are strong feelings on each side of the debate.  However, 
> I don't want to get into a debate about MUSTs or MUST NOTs, although 
> maybe that is indeed appropriate (we can debate that as well).
> 
> My thoughts for now are that the spec should say that an ARF 
> generator SHOULD NOT redact any data as that impedes the usefulness 
> of the report, but then the Security Considerations section should 
> discuss why some ADMDs might decide to do so anyway, and how receivers 
> might react to them doing so, and what measures they can take to 
> archive the redacted information so that they can chase down complaints.
> 
> Comments?

We redact, and here's the stock answer we give to those who complain
about our practice of doing so:

-------------------------------------------------------------
Road Runner is the High Speed Data service provided to 
its customers by Time Warner Cable.  Our lawyers are of 
the opinion that we are required, by the provisions of 
the 1984 US Cable Privacy Act that speak to our customers'
personally identifiable information, to remove our customers'
email addresses from any and all feedback loop reports we
send.

While we appreciate your frustration regarding this, we
cannot do any more about it at this time.  We encourage
senders to use the Message-ID, X- headers, VERPs, or the
body of the message itself to identify the customer who
complained about your mail.  We will pass along in the 
feedback loop reports everything about your mail exactly
as we receive it from our customers, save for our redacting
every occurrence of our customers' email addresses.

The Cable Privacy Act can be found online at this URL:

http://epic.org/privacy/cable_tv/ctpa.html

If your mailing is not using Variable Envelope Return Paths
(VERPs), you might want to read more about them here:

http://en.wikipedia.org/wiki/VERP

Thank you.
-------------------------------------------------------------

You may find some of the above text useful in building the more
general sections of the Security Considerations section.

-- 
Todd Herr
Principal Engineer and Postmaster              V: 703.345.2447
Road Runner Email Operations                   M: 571.287.0366
therr at postmaster.rr.com                      AIM: RRMailToddHerr

More information about the abuse-feedback-report mailing list