privacy laws

From FixForwarding
Jump to navigationJump to search

By privacy laws we mean any of the legal frameworks that regulate information privacy in the USA, EU, and several national countries. Although not exactly uniform, the existing bodies of rules tend to converge toward certain principles aimed at protecting people against undiscriminated usage of collected personally identifiable information, a.k.a. personal data.

Freedom in the digital era

Advances in electronics allow for pervasive and widespread control over what people do. Digital control can provide compelling tools for implementing business practices on an unprecedented scale. While customers used to be able to guard against a shopkeeper foxiness by themselves, they are now defenseless against corporations that systematically exchange their customers' PI information.

As it often happens during the transition from an era to the next, criteria and even laws that have been stipulated in times when their enforcement was provided by radically different means, may become questionable. The efforts undertaken thus far to define the legal terms and the issues implied by the new scenario, are the first chisel blows for establishing the future shape.

The Internet protocols that make this all possible, including SMTP, have necessarily been designed before it all began.

Legal conundrum

In most countries, storing personal data on a server should be controlled by law. In Europe, in particular, this is never done in compliance with the letter of Directive 95/46/EC. Mailing lists comply with the spirit of 95/46/EC, but then they were run in the same way even before 1995, when the Directive was issued. 2023 update: California's DELETE Act Protects Us From Data Brokers.

Laws have the nasty habit of snubbing technology. Possibly, they do so in order to address many technologies at once, but the result is often the opposite, to miss all of them at the same time. Email is sometimes assimilated to telephone or fax calls, sometimes to traditional paper mail, at times even to newspaper publishing. Such ambiguous feeling sorts little practical effects, if any. In particular:

  • while data controllers are allowed to build databases of subjects, subjects are inequitably hindered from building databases of controllers,
  • mailing lists have no means to prove subscriptions,
  • newsletters don't allow recipients to directly control the forwarding mechanism,
  • illegal disclosure of email addresses cannot be detected,
  • responsibility for injecting spam remains ambiguous,
  • bounces from forwarders may reveal recipients' identities thereby betraying any anonymity concern that forwarding might have implied.

One of the downsides of wp:Data Protection Directive is the work required for collecting subjects' consent. For email use, paperwork-based procedures are rather unpractical and apparently clash with the rest of computer-based procedures. On the other hand, since spam is a major concern, email servers run a number of checks trying to ascertain the legitimacy of incoming mail; however, recipient's consent cannot be checked because the paperwork produced to comply with the law is not machine-readable.

There is an EU regulation, wp:eIDAS, a standard developed for transactions in the EU single market. It can be considered a sort of S/MIME extension; that is, it features centralized key management -the main difference w.r.t. the PGP suite. That way, data subject's consent could by acquired by means of a trust service provider according to regulation. A statement like this would be consistent with law-regulated privacy protection.

Implementing the law

Opt-in and opt-out are two key concept for regulating how commercial newsletters may be sent. The SMTP protocol talks about mailing lists, not newsletters. Technically, they are the same thing, since the exact working of the subscribe and unsubscribe operations is not specified rigorously.

RFC 2369 mandates some headers with special URLs. The List-Unsubscribe header field contains the command to directly unsubscribe from the list. List-Unsubscribe-Post (RFC 8058) However, mail clients usually don't show it to the user. A possible reason for that uncooperative behavior may lay in the unknown nature of the command, that may expose the user to security risks if programmed by a malicious sender.

In addition, whatever method of subscribe or unsubscribe gets executed, users are given just a notice of the outcome of the operation, that they seldom save or print. The data remains at the lists owners', which makes it hard to take legal stances. There is no need to take legal actions, because legitimate senders always honor users commands; however, such tautological statements contribute to make spam a fuzzy term.

An email address is considered personally identifiable data. The agreement of its owner is required for storing and using that data. Its owner has the right to amend or delete it. It is the law. The solution proposed provides for a standard unsubscribe method, and provides for a copy of the users commands to be kept by their mailbox provider.

An example

Alice used to work for example.com. When she left, she asked the postmaster to place a .forward file for her, in order to continue to receive personal mail. After a few years, only spam is being forwarded. She would like the forwarding recipe to be removed. However, the postmaster she knew also left the company.

Of course, she could make an official request to the company. That implies getting in touch with her former boss. However, she wouldn't like to call him. Possibly, for the same reasons that she left the company years ago.

Asking someone else to do something for us, is not the same as doing it directly. Does the term wiki teach anything in this respect?

Retrieved from "http://fixforwarding.org/w/index.php?title=privacy_laws&oldid=1633"