Feedback loops sent to third parties tend to have PII stripped. Based on a definition of PII that does not regard IP addresses as personal data. On Jul 26, 2012 11:05 PM, "Alessandro Vesely" <vesely@tana.it> wrote:
On Thu 26/Jul/2012 18:37:55 +0200 Tobias Knecht wrote:
In the words of RFC 6650:
Don't get me wrong, this rfc is a good one an clarifies some things, but it is written by Americans under their understanding of US law.
IMHO, it is not so much being Americans or whatever, as being versed on legal points of view.
Some things that are mentioned are not possible under European Jurisdiction. For example providing Feedbackloops is especially in Germany a very critical task.
Is it? I guess in Italy we have more or less the same European directives. So long as the user is clearly informed about what data is being sent to who, and grants her/his consent to that, it should be legal to do FBLs. Yet, IANAL.
The best thing, IMHO, would be do gather users' consent on the first time they hit a "This is Spam" button. At the same time, give them the option to redact their email address in the header. (See http://tools.ietf.org/html/rfc6590 ).
So rfc 6650 is good but unfortunately does not fit all use and legal cases.
We need to clear up this issue. Googling for that I find that ETIS, which is based in Europe, has an "Anti SPAM Co-operation Group" that "is also working on an anti-spam feedback loop project." (Quotes from http://etis.org/groups/anti-spam-task-force ). I'd guess you know them; they have a meeting on next Oktoberfest... Would they cover those legal concerns?
A recurring objection in the acm-tf was that RIPE handles just a region, and therefore we'd need anti-abuse practices to be specified by some global body such as the IETF. Now we have it. We should use it as we use SMTP. And the fact that our law is better than theirs should be an aid, not a hindrance!
In addition to that, I do not have any problem in single persons reporting abuse incidents as long as they are useful. And even people in the registration business sometimes do not know how to report correctly, which is not bad it's just that they haven never done it before and need somebody/something that guides them through, which should be one of the next tasks for this community to define.
Very much agreed. We need to exchange scripts and ideas.