GDPR

Discussion of items in the "What's New" log.

GDPR

Postby josh » Sun May 20, 2018 6:42 am

As you know, GDPR is becoming effective on May 25, 2018, which is a great thing. I've done a bunch of reading, and I don't see that we need to change anything to be compliant. We've never sent even one message to our user base (we do send account confirmation and password reset messages of course, and we try to reply to individual users who email us), our privacy policy is strict, and we stick to it. We've never shared our (sparse and likely near worthless) user information with anyone or used the information for any purpose other than providing the service, and we don't plan on ever doing any of that kind of stuff.

It's worth noting that I designed the system from the start to avoid having any personal data as it was then defined by EU laws. While it's true that we're really not interested in your demographic information, it was happily also true that our data structure fell short of including more than one item of personal info - your protected email address - and for quite some time I was confident we fell outside the regulations altogether. Now I'm less sure, since the definition seems to have expanded. (Certainly your email goes through the system and lots of things could be in that. But we merely forward it, and we don't look at it other than putting our tags in the headers/subject line and swapping out your email address if you have reply address masking enabled).

But there is one real concern I have, and I'm not sure what I can do about it -- that's false reporting. When our users get email messages through spamgourmet and report them as spam, sometimes the reporting systems are not smart and they blame spamgourmet along with (or instead of) the true source of the message. Fortunately this is somewhat rare and hasn't happened for awhile, but when it does, it's a nightmare - we've wound up on spam block lists that way (which prevents a whole lot of our users from receiving their mail) and had to scramble and tell the story to a bunch of hostile people over and over in order to get removed. Indeed there are some mail services who just permanently block us - and can't be reasoned with by us or our affected users - their customers. (Those users either have to find another email provider or not use spamgourmet - and possibly not any other forwarding service either)

These false reports have been way out in front as my least favorite part of running spamgourmet. My concern is that, with GDPR, their effects could get a whole lot worse. We definitely don't have the resources to fend off regulators who wrongly think we have personal data and that we're spamming our users, and the potential consequences are dire. I don't think anyone right now knows exactly what the enforcement mechanism will be like - I never want to find out...

I would welcome any brainstorming on this topic. I'm an American, so it's not really in my face day to day. I'm sort of in wait-and-see mode right now, and I'm hoping for the best. A worst-case scenario definitely has the potential to force us to shut down the service, though, so I want to be up front about that, and also ask for help thinking through it.
josh
 
Posts: 1342
Joined: Fri Aug 29, 2003 2:28 pm

Re: GDPR

Postby lwc » Tue May 22, 2018 5:30 pm

Some thoughts:
  1. Could this finally be the time to acknowledge viewtopic.php?t=1247 and stop treating Spamgourmet like an anonymizer service (except for people who privately ask otherwise)? This anonymity could be a major issue with GDPR and draw wrong conclusions. It might help against reply masking recipients who file complaints.
  2. For Spamgourmet users who file complaints, maybe sign all users to a legal agreement form.
  3. If the alternative of a shut down seems real, how about an automated signature like "this message was forwarded by"? Or maybe a header like https://en.wikipedia.org/wiki/X-Forwarded-For?
lwc
 
Posts: 337
Joined: Sat Aug 28, 2004 9:09 am

Re: GDPR

Postby josh » Tue May 22, 2018 10:00 pm

The history of each forwarded message is in the headers (I guess it would be possible for a server to forge the headers which are shown to come before it). I think the problem is really just a matter of spam reporting systems not really considering mail forwarding services in their design.

Anyway - I hope I'm needlessly anxious. I guess we'll know soon.


I did update the privacy policy to rearrange it some and to mention that we use exim and apache, which keep logs including IP addresses.
josh
 
Posts: 1342
Joined: Fri Aug 29, 2003 2:28 pm

Re: GDPR

Postby Clewby » Wed May 30, 2018 8:09 am

Hi josh,

I would be sad to see spamgourmet go, or change in character unnecessarily.

This page may help you decide what is, or is not necessary. I have no connections with the organisation.

https://cybercounsel.co.uk/pd/

"What is Personal Data under the GDPR?"

There is also guidance from the UK Data Regulator, and from the EU itself.

UK Data Regulator: https://ico.org.uk/for-organisations/gu ... tion-gdpr/

They say:

For a more detailed understanding of the GDPR it’s also helpful to read the guidelines produced by the EU’s Article 29 Working Party – which has now been renamed the European Data Protection Board (EDPB). The EDPB includes representatives of the data protection authorities from each EU member state, and the ICO is the UK’s representative. The ICO has been directly involved in drafting many of these. We have linked to relevant EU guidelines throughout the Guide to GDPR.


So there are a lot of official sources, as well as the non-statutory advice from the first link I gave above.

Note that IP addresses definitely are 'Personal Data', and they should not be stored in logs unnecessarily, or retained for longer than is necessary. This does not mean 'no logging', but you should have a 'data retention policy' that specifies what you use the data for, and how long you keep it, and have processes to assure that it is discarded at the end of the retention period. The protected email addresses you store to make the service work also are 'Personal Data'.

The UK Data Regulator’s pages are worth reading, because they do not encourage the hysterical hyperbole around the GDPR - note the section on 'Lawful basis for processing'

I suspect you might wish to consider getting explicit consent to process data for each protected address. Note that assuming consent is definitely not allowed. Even though the only sane reason for using spamgourmet is because you want to use the service, you have to get explicit consent to process personal data, unless you can explicitly rely on one of the other 5 reasons for processing personal data - for example, you might be able to use the 'Legitimate Interests' reason for lawful processing of 'Personal Data'. I would hazard a guess that you may well be able to do so - but I am not an expert, so Do Your Own Research!!!

Note that 'Personal Data' under the GDPR is not necessarily defined in the same way (it is likely broader in scope) as PII (Personally Identifiable Information) or SPI (Sensitive Personal Information) in the USA. Be careful not to confuse them.

I STRONGLY recommend reading the UK Data Regulator's guide, and the links through to the EU source.

As you have no business presence in Europe, I think you are pretty much out of jurisdiction*, even if the worst happened and a regulator decided to fine you; and I'm pretty certain regulators will have other, larger fish to fry. If the UK Data Regulator is any guide, they tend to be quite lenient on people/organisations, especially those who show willing, and you have to be pretty purposefully breaking the regulations to attract the big guns. Incompetence or ignorance gets a slap on the wrist and an admonition to do better, but if you continue to breach the rules wilfully, well...

The actual EU regulations (in English) are here: http://eur-lex.europa.eu/legal-content/ ... 79&from=EN

*That means you, personally. The GDPR does apply to the processing of an individual's data by an entity outside the EU/EEA if and when that individual is in the EU. So a company based in say, Japan, processing solely the Personal Data of Japanese natural persons is outside the scope of the GDPR - however, if that company processes the Personal Data of natural persons while the natural person is in the territory/jurisdiction of the EU/EEA, then the processing is in scope for the GDPR. In all likelihood, spamgourmet is processing the Personal Data of natural persons who are in the EU, so the spamgourmet service is in scope for the GDPR.
This has some interesting effects. As the scope of the GDPR is 'natural persons', and not just 'natural persons who are EU citizens/resident in the EU', it means that an American tourist in Paris is covered. So if that tourist logs onto their Internet banking service, where their data are processed by an American company in the USA, then that processing is in-scope for the GDPR, as the American tourist is a 'natural person' in the EU. it is a bit like the 'equal protection' clause of the US Constitution, which apples to all people in the USA, not just citizens (As the SCOTUS have held), the GDPR applies to all 'people' in the EU, not just citizens.
Clewby
 
Posts: 20
Joined: Mon Jun 13, 2011 4:48 pm

Re: GDPR

Postby Clewby » Wed May 30, 2018 8:45 am

josh,

Re: false reports.

I don't think the regulators will be too bothered about false reports, as you can easily demonstrate the truth of the case. They may be more interested in why an organisation (not you) is reacting to a false report, as it is clear proof that they are not processing 'Personal Data' accurately.

There are rights that individuals have with regard to 'automated decision making including profiling', which include:

At a glance

The GDPR has provisions on:
  • automated individual decision-making (making a decision solely by automated means without any human involvement); and
  • profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
The GDPR applies to all automated individual decision-making and profiling.
Article 22 of the GDPR has additional rules to protect individuals if you are carrying out solely automated decision-making that has legal or similarly significant effects on them.
You can only carry out this type of decision-making where the decision is:
  • necessary for the entry into or performance of a contract; or
  • authorised by Union or Member state law applicable to the controller; or
  • based on the individual’s explicit consent.
You must identify whether any of your processing falls under Article 22 and, if so, make sure that you:
  • give individuals information about the processing;
  • introduce simple ways for them to request human intervention or challenge a decision;
  • carry out regular checks to make sure that your systems are working as intended.


The requirement for a simple way to challenge a decision, plus the 'right to rectification, means that organisations inaccurately characterising messages forwarded by spamgourmet as spam might well find the regulators giving them a hard time. Generation of spam blacklists, and email profiling tools have suddenly become legally 'interesting'.
Clewby
 
Posts: 20
Joined: Mon Jun 13, 2011 4:48 pm

Re: GDPR

Postby josh » Sat Jun 09, 2018 1:36 pm

Thanks everyone

I'm calming down some. To be sure, I'm not worried about actually getting fined or sanctioned ultimately, rather it's the fear of having to spend a lot of time and resources fighting a bogus claim that's the concern.

I think I would argue successfully that signing up to the service off a page that tells you how it works by forwarding email to the address you provide must count as explicit "consent" to use the address to forward email

I'm pretty sure Article 22 would have to be twisted very far away from its original intent in order to be applied to anything that happens at spamgourmet

I updated our privacy policy to include details about (standard web and mail server) logging and to remind users that each user can retrieve (in XML) and/or delete personal data at any time in the user interface. It is kind of gratifying that spamgourmet has had these functions in place either since the beginning or at least long before GDPR came around.

Clewby wrote:The requirement for a simple way to challenge a decision, plus the 'right to rectification, means that organisations inaccurately characterising messages forwarded by spamgourmet as spam might well find the regulators giving them a hard time. Generation of spam blacklists, and email profiling tools have suddenly become legally 'interesting'.

I hadn't considered that GDPR might actually help protect spamgourmet (indirectly) from false reports this way. Certainly the spamgourmet users who make the reports which are misinterpreted are always dismayed at what's happening, and yet often have been powerless to do anything about it after the report was made.
josh
 
Posts: 1342
Joined: Fri Aug 29, 2003 2:28 pm


Return to What's New

Who is online

Users browsing this forum: No registered users and 1 guest