[anti-abuse-wg] Legal concerns, was Manual vs automated reports
Alessandro Vesely vesely at tana.it
Tue Jul 31 19:57:53 CEST 2012
On Sun 29/Jul/2012 09:47:52 -0700 Tobias Knecht wrote: > > That would mean that the a user has to click 50 times the spam > button, than 50 times "Yes I want to report this message!" and than > 50 times "I'm okay that this message will be sent to X!" And that, of course, does not leave you anything that a court would consider a proof that consent was granted. For contractual issues, I see telcos hire call-center staff in order to ask for user's consent at the phone, taping a formal question-and-answer sequence that can be kept as a proof. > We first need to find a simple for end users secure way to report that > does not destroy the usability and the trust and than come up with > solutions. Exactly! I'm not sure to what extent can OAuth or OpenID provide useful techniques. There seems to be an original sin in privacy practices, whereby anything Internet-related is assumed to be evil. There are no established protocols to grant consent through the net. >> We need to clear up this issue. Googling for that I find that ETIS, >> which is based in Europe, has an "Anti SPAM Co-operation Group" that >> "is also working on an anti-spam feedback loop project." (Quotes from >> http://etis.org/groups/anti-spam-task-force ). I'd guess you know >> them; they have a meeting on next Oktoberfest... Would they cover >> those legal concerns? > > Yes ETIS is exactly working on these legal issues, but imho have not > found a way around it. The project that is ongoing there has nothing > to do with user feedback. It's about spamtrap data provided by the > ETIS members. I'll be probably at the next ETIS meeting in Munich and > hopefully can help to take some next steps. I wrote them, but got no answer yet. I'd be happy to participate as well, if it helps. > We have an IETF specification, but this does not stand over the law. > We can specify as much as we want, if this is not a within the legal > framework we can't use it. And that is exactly what I mean, the rfc > you mention does not take in account that European legal system is > opt-in and not opt-out. Same on the different direction. Most ESPs in > the US don't care about opt-ins which is legally recommended in Europe. Hm... yeah, something. Americans have their own conundrums, such as patents. Those legal hypes seem to be rather related to temporary idiosyncrasies originating from a particular case, than applications of a general, uniform logic. For example, SMTP-forwarding is obviously incompatible with privacy, but nobody seems to be concerned about how many times users must confirm that they want to receive a commercial newsletter. Instead, lawyers argue that the mere presence of an email address in a publicly (or privately) accessible list may imply its owner's consent. By a similarly opportunistic argument, sending a message back to one of the entities who relayed it should imply no leak of information, since that data is already known to the relay. It has to be attached as a means of identifying it. If laws can be interpreted, it is not acceptable that interpretations only favor spammers :-/ > This is a basic difference between the US and Europe which can not be > ironed onto the same level. The outcome must be the same, but the way > to this will be different. Yes, I'd hope that users signalling messages to European ISPs can be better informed of what such signal means, w.r.t. American users.