SMTP forwarding in the face of Data Protection Directive
Hi all, can a tool for lawfully acquiring a user's consent via the Internet motivate SMTP operators to modify their procedures in such a way that spam can be countered more effectively? Let me please expand slightly on this question, I'll try and be concise. It is well known that the Simple Mail Transfer Protocol provides for replacing the envelope recipient with one or more other email addresses. This server forwarding is not to be confused with manually forwarding a message from a client. Mailing lists and newsletters are operated that way, as well as redirection configured by means of "dot forward" static files. Since email addresses are personal data, their processing is covered by Directive 95/46/EC. How is the data subject's consent acquired? In response to the Data Protection Directive, operators should have defined a protocol for obtaining and keeping proof of the consent. It never happened. In facts, it is very difficult to introduce new protocols for email --new protocols for web operations come about much more frequently. Evidence that consent has been granted can be provided by the data subject's mail exchanger (MX, a.k.a. the user's incoming mail server). It can digitally sign a notification from the data processor. That way, the user's server becomes aware of a new wanted stream of messages, and can whitelist it. That is, it can skip anti-spam checking for those messages. As bulk messages account for a significant part of legitimate mail, anti-spam measures could then be significantly strengthened. The users' advantage is to have an automatically maintained list of subscriptions, and a uniform interface to manage them. Currently, users have to interact with what can be called a "time-distributed database", in the sense that monthly or yearly they may receive subscription reminders... The obvious shortcoming of this idea is that mail server operators simply won't install any new software if their systems can work acceptably well without it. However, acquiring written consent is such a pain to many businesses that, perhaps, they will install that software if it helps complying with privacy issues. What do you think? TIA for any comment
Just a clarifying question...you talk about consent acquired regarding the fact the email address will be processed (i.e. personal data will be processed)? Patrik On 18 maj 2011, at 20.56, Alessandro Vesely wrote:
Hi all, can a tool for lawfully acquiring a user's consent via the Internet motivate SMTP operators to modify their procedures in such a way that spam can be countered more effectively? Let me please expand slightly on this question, I'll try and be concise.
It is well known that the Simple Mail Transfer Protocol provides for replacing the envelope recipient with one or more other email addresses. This server forwarding is not to be confused with manually forwarding a message from a client. Mailing lists and newsletters are operated that way, as well as redirection configured by means of "dot forward" static files. Since email addresses are personal data, their processing is covered by Directive 95/46/EC.
How is the data subject's consent acquired? In response to the Data Protection Directive, operators should have defined a protocol for obtaining and keeping proof of the consent. It never happened. In facts, it is very difficult to introduce new protocols for email --new protocols for web operations come about much more frequently.
Evidence that consent has been granted can be provided by the data subject's mail exchanger (MX, a.k.a. the user's incoming mail server). It can digitally sign a notification from the data processor. That way, the user's server becomes aware of a new wanted stream of messages, and can whitelist it. That is, it can skip anti-spam checking for those messages. As bulk messages account for a significant part of legitimate mail, anti-spam measures could then be significantly strengthened.
The users' advantage is to have an automatically maintained list of subscriptions, and a uniform interface to manage them. Currently, users have to interact with what can be called a "time-distributed database", in the sense that monthly or yearly they may receive subscription reminders...
The obvious shortcoming of this idea is that mail server operators simply won't install any new software if their systems can work acceptably well without it. However, acquiring written consent is such a pain to many businesses that, perhaps, they will install that software if it helps complying with privacy issues. What do you think?
TIA for any comment
On 18 May 2011, at 19:56, Alessandro Vesely wrote:
How is the data subject's consent acquired?
Consent for what? Joining the list? Receiving and posting messages? Being moderated or cross-posted to a newsgroup?
In response to the Data Protection Directive, operators should have defined a protocol for obtaining and keeping proof of the consent. It never happened. In facts, it is very difficult to introduce new protocols for email.
I think we need to be careful to avoid confusing each other. For the purposes of this discussion, "protocol" should mean an IETF specification. Let's use "process" to mean "protocol for obtaining and keeping proof of the consent" ie not an IETF protocol. A dictionary definition of protocol would include this "process" definition, but let's not use the same word for different things. List managers may need a process to show they have user consent. This might but probably won't need a protocol such as yet another tweak to SMTP. At least I hope it won't need that. With that clarification out of the way, the consent you ask about is probably implicit: eg your employer puts you on company mailing lists as a condition of employment or it's your job to join certain (public) lists. In other cases, the act of joining a mailing list implies consent. If you don't want the list to process your Personal Data (email address), don't join it. In other cases, consent may be inherited from other terms and conditions: eg your ISP or registrar puts you on some mailing list for management of your account or whatever and you agree to that as a part of doing business together. I am not a lawyer and don't play one on TV. However I have dealt with Data Protection issues and had too many non-trivial discussions with a DPA, the UK Information Commissioner's Office. [ICANN gTLD registry contracts and whois, if anyone cares... The scars have nearly healed in case any of you are asking.] The short answer to how your SMTP concern plays out will depend on the view of your DPA. So ask them. Or ask your lawyer first and then ask the national DPA. I would be surprised if there was unanimity or even consensus amongst the EU DPAs on this topic, assuming they have considered this issue in WP29. And yes, I realise this is underpinned by a couple of EU Directives. But how these get enacted and enforced in national law differs from country to country. Then there's the question of how the national DPA sees its responsibilities and priorities. I would expect most will either not care about electronic mailing lists or take the pragmatic view that since list membership is under the user's control, that in itself provides the required consent. However I would not bet money on this. Another rat-hole to explore is what the list manager does with the Personal Data and if consent is needed for adding list members to other lists. Or lists of lists. What constitutes proportionate and fair usage of Personal Data then? My head is now starting to hurt... Perhaps we could invite someone from WP29 to speak about this at the next WG meeting?
Hi, thank you all for your interest. I am touched and happier. I reply to comments by Patrik, Jim, and Staffen in this message. On 18/May/11 22:25, Patrik Fältström wrote:
Just a clarifying question...you talk about consent acquired regarding the fact the email address will be processed (i.e. personal data will be processed)?
Yes. On 18/May/11 23:37, Jim Reid wrote:
On 18 May 2011, at 19:56, Alessandro Vesely wrote:
How is the data subject's consent acquired?
Consent for what? Joining the list? Receiving and posting messages? Being moderated or cross-posted to a newsgroup?
Consent for keeping the email address, any accompanying data, and any related processing, such as receiving posts, moderation, archiving, copyright, et cetera.
In response to the Data Protection Directive, operators should have defined a protocol for obtaining and keeping proof of the consent. It never happened. In facts, it is very difficult to introduce new protocols for email.
I think we need to be careful to avoid confusing each other. For the purposes of this discussion, "protocol" should mean an IETF specification. Let's use "process" to mean "protocol for obtaining and keeping proof of the consent" ie not an IETF protocol. A dictionary definition of protocol would include this "process" definition, but let's not use the same word for different things. List managers may need a process to show they have user consent. This might but probably won't need a protocol such as yet another tweak to SMTP. At least I hope it won't need that.
It's ok for these terms, for the sake of this discussion. In case we want to expand it, we'll have to give it a name and a specification. Further steps would be implementing it, testing, and find how to publish it as an RFC. The process core had probably better be separate from SMTP. However, mail filters may help. For example, an SMTP extension may allow a receiving server to tell to a sending Mailing List Manager (MLM) that it supports the process, in case the MLM is interested.
With that clarification out of the way, the consent you ask about is probably implicit: eg your employer puts you on company mailing lists as a condition of employment or it's your job to join certain (public) lists. In other cases, the act of joining a mailing list implies consent. If you don't want the list to process your Personal Data (email address), don't join it. In other cases, consent may be inherited from other terms and conditions: eg your ISP or registrar puts you on some mailing list for management of your account or whatever and you agree to that as a part of doing business together.
Yes, consent is implicit, but difficult to prove. And we are talking about MLMs, the most privacy-compliant example of mail forwarding. Let me note that MLMs, by design, used to protect their subscribers much before 1995. IOW, the only change they made in response to privacy laws was the wording in their footers and/or web sites. For newsletters and dot-forward files, the improvements brought in by the "process" are much more noticeable. For example, dot-foward files can be reworked in order to obtain an effect similar, in practice, to email address portability.
I am not a lawyer and don't play one on TV. However I have dealt with Data Protection issues and had too many non-trivial discussions with a DPA, the UK Information Commissioner's Office. [ICANN gTLD registry contracts and whois, if anyone cares... The scars have nearly healed in case any of you are asking.] The short answer to how your SMTP concern plays out will depend on the view of your DPA. So ask them. Or ask your lawyer first and then ask the national DPA.
I would be surprised if there was unanimity or even consensus amongst the EU DPAs on this topic, assuming they have considered this issue in WP29. And yes, I realise this is underpinned by a couple of EU Directives. But how these get enacted and enforced in national law differs from country to country. Then there's the question of how the national DPA sees its responsibilities and priorities. I would expect most will either not care about electronic mailing lists or take the pragmatic view that since list membership is under the user's control, that in itself provides the required consent. However I would not bet money on this.
Yes, you are perfectly right on this. IANAL too, and have serious difficulties following such kind of discussions. I'm a programmer and would rather implement something. For such task, the wording on the web page is about as important as its background color. However, yes, lawyers should talk about what the process would do, and check that member states can agree uniformly. I think they did an egregious theoretical work with Directive 95/46/EC. Further directives on he same subject seem to me to be somewhat weaker (and they never mention actual IETF protocols.) Staffan also expresses some concerns on this point. I reply to him below.
Another rat-hole to explore is what the list manager does with the Personal Data and if consent is needed for adding list members to other lists. Or lists of lists. What constitutes proportionate and fair usage of Personal Data then? My head is now starting to hurt...
Perhaps we could invite someone from WP29 to speak about this at the next WG meeting?
MLMs conceptual model is fine as it is. Software would only need minor changes, possibly none. There are still lists that have no web interface, so one could just add the "process" on top of them. Those who implement a confirmation page, may want to change it. For example, user's confirmation (the consent) could even be done by the user's server, and transmitted to the MLM thereafter. On 19/May/11 09:10, Staffan Jonson wrote:
Yes, agree with you. The idea is a shortcoming.
Yeah, possibly :-)
My experience says me that law seldom originates from (the need of) individual users or a protocol, but by legal tradition in the legislation, i.e. eventually, interpretation by 27 member state (MS) legislations will go before directive intentions.
Apparently, this is indeed the best we (Europeans) have been able to do. IMHO, testing if it works for the Internet era is an interesting exercise in its own respect. EDI has undergone similar issues, and more will come.
This means -if understood correctly - that the data consent procedure is decided upon in each and every MS. In other words, rule may actually vary a bit, which from a protocol view just will make the situation worse.
Therefore, I agree with Jim Reid on this: "But how these get enacted and enforced in national law differs from country to country."
From my point of view, the fact that the process can save paperwork is a side effect that helps its initial diffusion. The main aim is understanding mail streams so as to dominate spam. OTOH, that
Fragmentation should be avoided. On the opposite, if the process works correctly and proves to be useful, then it will likely be adopted beyond Europe. paperwork is a waste of resources and, personally, I won't do it anyway. I wonder for how long the people who does it will want to continue doing so...
When interpreting this directive into Swedish law, lawyers currently discuss the criterias for what make an 'active consent' just active. Can the automation of consents by protocols be a way to meet legislators demands on active consent? In the end, it's an interpretation if automation is enough, and we'll probably have a ruling in this by national court, eventually.
From a governmental point of view, I think they should also wonder how long citizens will want to obey to laws that require obsolete manual
Yes, that is not much different from companies deciding to use a given software tool, but on national scale. procedures. Lawyers should understand the difference between processes that work in practice versus paperwork that can be considered "theoretical" inasmuch those papers are seldom read. Given an opportunity to ease and enhance citizens' work, they should take it --but who knows?
On 19 May 2011, at 19:35, Alessandro Vesely wrote:
It's ok for these terms, for the sake of this discussion. In case we want to expand it, we'll have to give it a name and a specification. Further steps would be implementing it, testing, and find how to publish it as an RFC.
I think you may be too far ahead of everyone Alessandro. It's not clear to me that there is a problem here that needs fixing. So far, no DPA appears to be demanding action about this issue or even saying that more formal consent processes are needed for mailing lists. I'd be inclined to wait until WP29 comes forward with a clear problem statement and set of requirements. Doing protocol development without these foundations is unlikely to produce anything useful: ie the IETF comes up with a solution to a different problem from the one that the DPAs care about. It would be nice if a DPA could come to this WG to talk about this issue. After all the WG exists to facilitate this sort of industry- government dialogue.
Jim, you've pinned the crux of the matter. On 20/May/11 13:46, Jim Reid wrote:
So far, no DPA appears to be demanding action about this issue or even saying that more formal consent processes are needed for mailing lists. I'd be inclined to wait until WP29 comes forward with a clear problem statement and set of requirements. Doing protocol development without these foundations is unlikely to produce anything useful: ie the IETF comes up with a solution to a different problem from the one that the DPAs care about.
More likely, there will be no "IETF solution" at all, because of lack of traction. On the one hand, the IETF consider they cannot compel protocols deployment. On the other hand, WP29 assume they cannot get down to protocol level details. How can we use both hands together?
It would be nice if a DPA could come to this WG to talk about this issue. After all the WG exists to facilitate this sort of industry-government dialogue.
Honestly, I didn't know about the Article 29 Working Party until you wrote about it. I've also been told about an International Working Group on Data Protection in Telecommunications (IWGDPT). I have no idea who exactly they are, and guess I'd just catch many headaches if I try to contact them directly. It would be nice to find law-oriented participants in this WG, who feel like liaising the dialogue. BTW, "industry-government" is not exact if this will result in a legally endorsed IETF solution implemented with free software.
I still do not see what you are after, given the various rules regarding "temporary storage" that exists. Patrik On 20 maj 2011, at 18.06, Alessandro Vesely wrote:
Jim, you've pinned the crux of the matter.
On 20/May/11 13:46, Jim Reid wrote:
So far, no DPA appears to be demanding action about this issue or even saying that more formal consent processes are needed for mailing lists. I'd be inclined to wait until WP29 comes forward with a clear problem statement and set of requirements. Doing protocol development without these foundations is unlikely to produce anything useful: ie the IETF comes up with a solution to a different problem from the one that the DPAs care about.
More likely, there will be no "IETF solution" at all, because of lack of traction. On the one hand, the IETF consider they cannot compel protocols deployment. On the other hand, WP29 assume they cannot get down to protocol level details. How can we use both hands together?
It would be nice if a DPA could come to this WG to talk about this issue. After all the WG exists to facilitate this sort of industry-government dialogue.
Honestly, I didn't know about the Article 29 Working Party until you wrote about it. I've also been told about an International Working Group on Data Protection in Telecommunications (IWGDPT). I have no idea who exactly they are, and guess I'd just catch many headaches if I try to contact them directly.
It would be nice to find law-oriented participants in this WG, who feel like liaising the dialogue.
BTW, "industry-government" is not exact if this will result in a legally endorsed IETF solution implemented with free software.
On 21/May/11 09:05, Patrik Fältström wrote:
I still do not see what you are after, given the various rules regarding "temporary storage" that exists.
I'm not sure what rules you mean. Let's assume, for example, that I have the addresses of all cooperation-wg subscribers on my personal address-book. Then, if I send a message to all of us, my outgoing mail server will temporarily store the corresponding personal data for the sake of running my post through its queue. I think Data Protection Directive imposes no duty in such case. Is this what you mean? Let me note again how transparent a MLM is in doing its job. It lets recipients know which specific (non-temporary) list their address was extracted from. Not all list exploders work this way.
On 21 maj 2011, at 12.18, Alessandro Vesely wrote:
On 21/May/11 09:05, Patrik Fältström wrote:
I still do not see what you are after, given the various rules regarding "temporary storage" that exists.
I'm not sure what rules you mean. Let's assume, for example, that I have the addresses of all cooperation-wg subscribers on my personal address-book. Then, if I send a message to all of us, my outgoing mail server will temporarily store the corresponding personal data for the sake of running my post through its queue. I think Data Protection Directive imposes no duty in such case. Is this what you mean?
Yes, as it is a temporary thing. And, it is absolutely not clear at all if email addresses by themselves impose privacy information if they for example are not even connected to the name of a person. Etc.
Let me note again how transparent a MLM is in doing its job. It lets recipients know which specific (non-temporary) list their address was extracted from. Not all list exploders work this way.
Correct. But also, it depends on what information was sent to people when they subscribed, if they subscribed themselves, or if they where subscribed. Etc. I think we should be careful of not making a rooster out of a feather. We are still a few sandwiches short of a picnic. Patrik
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi Yes, agree with you. The idea is a shortcoming. My experience says me that law seldom originates from (the need of) individual users or a protocol, byt by legal tradition in the legislation, i.e. eventually, interpretation by 27 member state (MS) legislations will go before directive intentions. This means -if understood correctly - that the data consent procedure is decided upon in each and every MS. In other words, rule may actually vary a bit, which from a protocol view just will make the situation worse. Therefore, I agree with Jim Reid on this: " But how these get enacted and enforced in national law differs from country to country." When interpreting this directive into Swedish law, lawyers currently discuss the criterias for what make an 'active consent' just active. Can the automation of consents by protocols be a way to meet legislators demands on active consent? In the end, it's an interpretation if automation is enough, and we'll probably have a ruling in this by national court, eventually. /Staffan Cell phone: + 46/0 73 317 39 67 Mail: staffan.jonson@iis.se - -----Ursprungligt meddelande----- Från: cooperation-wg-admin@ripe.net [mailto:cooperation-wg-admin@ripe.net] För Alessandro Vesely Skickat: den 18 maj 2011 20:56 Till: cooperation-wg@ripe.net Ämne: [cooperation-wg] SMTP forwarding in the face of Data Protection Directive Hi all, can a tool for lawfully acquiring a user's consent via the Internet motivate SMTP operators to modify their procedures in such a way that spam can be countered more effectively? Let me please expand slightly on this question, I'll try and be concise. It is well known that the Simple Mail Transfer Protocol provides for replacing the envelope recipient with one or more other email addresses. This server forwarding is not to be confused with manually forwarding a message from a client. Mailing lists and newsletters are operated that way, as well as redirection configured by means of "dot forward" static files. Since email addresses are personal data, their processing is covered by Directive 95/46/EC. How is the data subject's consent acquired? In response to the Data Protection Directive, operators should have defined a protocol for obtaining and keeping proof of the consent. It never happened. In facts, it is very difficult to introduce new protocols for email --new protocols for web operations come about much more frequently. Evidence that consent has been granted can be provided by the data subject's mail exchanger (MX, a.k.a. the user's incoming mail server). It can digitally sign a notification from the data processor. That way, the user's server becomes aware of a new wanted stream of messages, and can whitelist it. That is, it can skip anti-spam checking for those messages. As bulk messages account for a significant part of legitimate mail, anti-spam measures could then be significantly strengthened. The users' advantage is to have an automatically maintained list of subscriptions, and a uniform interface to manage them. Currently, users have to interact with what can be called a "time-distributed database", in the sense that monthly or yearly they may receive subscription reminders... The obvious shortcoming of this idea is that mail server operators simply won't install any new software if their systems can work acceptably well without it. However, acquiring written consent is such a pain to many businesses that, perhaps, they will install that software if it helps complying with privacy issues. What do you think? TIA for any comment -----BEGIN PGP SIGNATURE----- Version: 9.8.3 (Build 4028) Charset: utf-8 wsBVAwUBTdTCazQ/UxhHDVilAQj/uQf/diTT50upnSEEzdZ1xwl+noBR8LT0nc04 m/jZPZllSNO6TOCCpzMDt43Q5zxWbF/ur3f6q2w/tfvs6EFwRi+gZ3cUV1eX9HR6 iaAMjfMHADhmOCWDwew9aMRLsXZTCfBpzAtpjXCIHYTpfX8Oi1R+igKq4+74jpyV V9Mpxm1V65KxpB6otxVJ4jDV4JlYVUP/zR8+h6FWuCf7m/851Fkg2BMqLUXGw1TF Wmjf21ykxzOgLaqyrPOtWw3MyUBJA9Mg7+8irZyzLDxXUTlxWy1CBKY8U/F4u0gO XP7vtsUtBfpmf8295amxYZ4UKfT7vC8sPWOupOxUFtDalnT3CCc2Iw== =BzQY -----END PGP SIGNATURE-----
* Alessandro Vesely:
How is the data subject's consent acquired? In response to the Data Protection Directive, operators should have defined a protocol for obtaining and keeping proof of the consent. It never happened.
It seems to me that the industry has come up with a pretty widely adopted protocol: send a probe message to the mailbox, and if that is confirmed, include the address in the distribution list. At this point, the potential subscriber can also be told about list policies, including archival of messages submitted.
The users' advantage is to have an automatically maintained list of subscriptions, and a uniform interface to manage them. Currently, users have to interact with what can be called a "time-distributed database", in the sense that monthly or yearly they may receive subscription reminders...
There are standardized mail headers which help to manage mailing list subscriptions. They are rarely used in commercial environments, though. -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
On 23/May/11 09:09, Florian Weimer wrote:
* Alessandro Vesely:
How is the data subject's consent acquired? In response to the Data Protection Directive, operators should have defined a protocol for obtaining and keeping proof of the consent. It never happened.
It seems to me that the industry has come up with a pretty widely adopted protocol: send a probe message to the mailbox, and if that is confirmed, include the address in the distribution list. At this point, the potential subscriber can also be told about list policies, including archival of messages submitted.
Mailing lists have been doing so for 40 years, they just miss proofs of consent. OTOH, commercial newsletters collect consent once, in writing, e.g. as a checkbox on a manually signed printed form, and then skip confirming the email address. The latter behavior is compliant with Directive 95/46/EC, but the relevant data cannot be used for whitelisting because it is not machine-readable. Thus, we (Europeans) suffer the downside of privacy laws without enjoying the advantages. In some cases, users may consent that their personal data be shared with other newsletters. Such subscriptions are not going to be notified to users: they'll receive messages without knowing how senders got their addresses. Finally, some brain damaged senders seek users' consent via email :-O
The users' advantage is to have an automatically maintained list of subscriptions, and a uniform interface to manage them. Currently, users have to interact with what can be called a "time-distributed database", in the sense that monthly or yearly they may receive subscription reminders...
There are standardized mail headers which help to manage mailing list subscriptions. They are rarely used in commercial environments, though.
Yeah, if List-Id and List-Unsubscribe were used consistently, with SPF or DKIM authentication, it would be possible to gather subscriptions and unsubscriptions unilaterally at recipients'. But such bulk mailer behavior is not currently specified by an official standard, AFAIK.
participants (5)
-
Alessandro Vesely -
Florian Weimer -
Jim Reid -
Patrik Fältström -
Staffan Jonson