Author: Patrick von der Hagen Date: To: Ian Eiloart CC: exim-users Subject: Re: [exim] Out of Office and collateral spam
Am Mittwoch, den 19.12.2007, 16:11 +0000 schrieb Ian Eiloart:
[...] > I understand that the situation is difficult in Germany, but you're really
> not allowed to reject spam? What if you're subject to a denial of service
> attack? Are you allowed to switch your servers off? Short answer: it depends. ;-) If I were under attack I would have lots
of liberties in handling that precise situation. But of course that's
not the normal situation.
Imagine a new corporation in Germany which releases an email-policy
right away, which clearly states that e-mail is to be used for
business-purposes only. That would be a perfect situation and the
company would be free to do almost anything about spam. I suppose it
could even delete incoming messages suppposed to be spam, it would be
nasty but probably legal. Non-spam-e-mail-issues would be easy and legal
too. For example, if an employee had an accident, someone replacement
person might be granted access to the mailbox.
Now forget the perfect world....
Imagine a corporation using e-mail for several years and no one
considered it to be nessessary to release some e-mail-regulation. Then
the employees might start sending and receiving private e-mail with
their company mailbox. If nobody does anything about it, private use of
company mailboxes will turn to "corporate practise" (a bad translation
of the German term "betriebliche Übung"). That would be considered
"worst case". If there is a corporate practise, it is a privilege of the
staff and you can't get rid of it easily. One could try to negotiate
with the staff association, but they wouldn't like it. Even if you reach
a corporate agreement with the staff association, it might not be enough
to get rid of the corporate practise. You might even need "dismissal
with the option of altered conditions of employment" with all your
employees.
I'm afraid this might be the "normal" situation. It has some bad
side-effects, e.g. a mailbox might contain private data, so if an
employee had an accident, you would not be allowed to grant access to
the mailbox to a replacement person. Cool, isn't it?
And of course, since the mail your filter considers to be spam might be
a private message, you might need the (written) consent of each employee
to do something about spam.
You might even be considered to offer e-mail-services which might lead
to the duty of data-retention for six month under EU-regulations... the
law is still warm and not yet active, but I talked to a lawyer who
believes this might happen. It is a matter of interpreation, so we will
have to wait for the first decisions at court.
The last example:
consider an university. Lots of employees who started using their
university mailboxes for private purposes ages ago. Some regulations
which have been updated to include "email is for university purposes
(education, research,...) only" recently. Thousands of students, half of
them started with the old regulations, the others with the new
regulations. The employees have a staff association to represent them,
but their is no one representing the students.... Of course there are
students employed by the university to do some small jobs, so they are
both employee and student. And some people neither employee nor student
have e-mail-addresses at the university, for example research-partners
cooperating in special projects.
Now add some more complications to get a little taste of my world. ;-)
Oh, and by the way: of course there is "sparingness of data-collection"
as a base-principle of privacy. So you are allowed to keep logs only if
you can justify that you need them. If you don't do accounting of each
e-mail you are not allowed to keep logs. If there is a problem you can
activate logging temporarily to solve the problem, but you can't argue
"e-mail is a problem by desing" and activate logging permanently. Not if
you follow the law to the letter.
Some lawyers consider it to be acceptable to keep logs for up to five
workdays, some would even accept seven days. But so far no court
actually had to decide such an issue, so that is just speculation.
The message got longer than I wanted an I did consider not sending it to
exim-users but privately to Ian, but I considered it to nessessary to
correct Jans statement regarding Ians question on the list.