--On 19 December 2007 21:25:15 +0100 Patrick von der Hagen
<hagen@???> wrote:
> Am Mittwoch, den 19.12.2007, 16:11 +0000 schrieb Ian Eiloart:
> [...]
>> I understand that the situation is difficult in Germany, but you're
>> really not allowed to reject spam? What if you're subject to a denial
>> of service attack? Are you allowed to switch your servers off?
> Short answer: it depends. ;-) If I were under attack I would have lots
> of liberties in handling that precise situation. But of course that's
> not the normal situation.
>
> Imagine a new corporation in Germany which releases an email-policy
> right away, which clearly states that e-mail is to be used for
> business-purposes only. That would be a perfect situation and the
> company would be free to do almost anything about spam. I suppose it
> could even delete incoming messages suppposed to be spam, it would be
> nasty but probably legal. Non-spam-e-mail-issues would be easy and legal
> too. For example, if an employee had an accident, someone replacement
> person might be granted access to the mailbox.
But, this doesn't address the question of rejecting email. And, I don't see
anything in the rest of the email that suggests that you can't reject email
that you know to be spam.
Are you permitted to reject email that contains known viruses? That doesn't
comply with Internet standards?
Lots of the considerations below (privacy, for example) also apply in the
UK. You'd expect that, as we're both in the EU. However, none of the
considerations below prevent us from rejecting email from (for example)
known spam sources.
> Now forget the perfect world....
> Imagine a corporation using e-mail for several years and no one
> considered it to be nessessary to release some e-mail-regulation. Then
> the employees might start sending and receiving private e-mail with
> their company mailbox. If nobody does anything about it, private use of
> company mailboxes will turn to "corporate practise" (a bad translation
> of the German term "betriebliche Übung"). That would be considered
> "worst case". If there is a corporate practise, it is a privilege of the
> staff and you can't get rid of it easily. One could try to negotiate
> with the staff association, but they wouldn't like it. Even if you reach
> a corporate agreement with the staff association, it might not be enough
> to get rid of the corporate practise. You might even need "dismissal
> with the option of altered conditions of employment" with all your
> employees.
> I'm afraid this might be the "normal" situation. It has some bad
> side-effects, e.g. a mailbox might contain private data, so if an
> employee had an accident, you would not be allowed to grant access to
> the mailbox to a replacement person. Cool, isn't it?
> And of course, since the mail your filter considers to be spam might be
> a private message, you might need the (written) consent of each employee
> to do something about spam.
> You might even be considered to offer e-mail-services which might lead
> to the duty of data-retention for six month under EU-regulations... the
> law is still warm and not yet active, but I talked to a lawyer who
> believes this might happen. It is a matter of interpreation, so we will
> have to wait for the first decisions at court.
>
> The last example:
> consider an university. Lots of employees who started using their
> university mailboxes for private purposes ages ago. Some regulations
> which have been updated to include "email is for university purposes
> (education, research,...) only" recently. Thousands of students, half of
> them started with the old regulations, the others with the new
> regulations. The employees have a staff association to represent them,
> but their is no one representing the students.... Of course there are
> students employed by the university to do some small jobs, so they are
> both employee and student. And some people neither employee nor student
> have e-mail-addresses at the university, for example research-partners
> cooperating in special projects.
> Now add some more complications to get a little taste of my world. ;-)
>
>
>
> Oh, and by the way: of course there is "sparingness of data-collection"
> as a base-principle of privacy. So you are allowed to keep logs only if
> you can justify that you need them. If you don't do accounting of each
> e-mail you are not allowed to keep logs. If there is a problem you can
> activate logging temporarily to solve the problem, but you can't argue
> "e-mail is a problem by desing" and activate logging permanently. Not if
> you follow the law to the letter.
> Some lawyers consider it to be acceptable to keep logs for up to five
> workdays, some would even accept seven days. But so far no court
> actually had to decide such an issue, so that is just speculation.
>
>
> The message got longer than I wanted an I did consider not sending it to
> exim-users but privately to Ian, but I considered it to nessessary to
> correct Jans statement regarding Ians question on the list.
--
Ian Eiloart
IT Services, University of Sussex
x3148
