Feeds

EU privacy experts slam email tracking services

Didtheyreadit.com under fire

Build a business case: developing custom apps

Services that track whether an email has been opened will breach EU data protection laws unless the recipient has given unambiguous consent to the service, according to an opinion from the Article 29 EU Working Party on Data Protection.

Did they read it?

The EU Working Party singled out the Did they read it? service as an example of a new type of service. For avoidance of doubt, this is not the 'read receipt' service with which users of popular email software like Microsoft Outlook will be familiar, which gives an external email recipient the opportunity to accept or refuse the sender's request for an acknowledgement that the email has been read.

Instead, the service at didtheyreadit.com, from Florida-based Rampell Software, LLC, offers no opportunity to accept or refuse the tracking. It also provides additional details to senders: the date and time when the email was opened, where, geographically, the email was opened, for how long, and whether it was forwarded.

Subscribers who use Yahoo!, Hotmail or AOL email services can simply add ".didtheyreadit.com" to the end of a recipient's e-mail address to have an email tracked. Users of Outlook simply download a piece of software to add the secret tracking ability.

The independent working party, whose opinions are influential but not binding, expressed "the strongest opposition" to such services in a wider report on privacy issues related to the provision of email screening services, describing the secret data processing as “contradictory to the data protection principles requiring loyalty and transparency in the collection of personal data”.

Consent must be given. "No other legal grounds justify this processing," the working party warns.

The report also considers how virus detection, spam filtering and processes used by ISPs and email service providers (ESPs) to pre-determine content are impacted by rules such as the European Convention on Human Rights, the Data Protection Directive and the Privacy and Electronic Communications Directive.

Virus scanning

In general, the working party finds that the ISP practice of scanning emails to ensure that they do not contain known viruses is justified by an obligation to take measures to safeguard the security of services and to protect systems. However, it says that ISPs must still make sure:

  • That the content of emails and attachments are kept secret and only disclosed to the intended recipient;
  • That where a virus is found, there are sufficient confidentiality guarantees on the installed software;
  • That virus scans only analyse the content of emails for the purpose of detecting viruses; and
  • That they provide information on the screening.

Spam filtering

Similarly, the working party finds that the practice of blacklisting or filtering spam is generally justified because without it spam would jeopardise the ability of an ESP to provide the email service at all.

However, it expresses concern that legitimate messages are sometimes filtered out along with the spam - so called "false positives". This might be a breach of the rights to freedom of speech and freedom of communications, according to the opinion.

It recommends that ESPs:

  • Give subscribers the chance to opt out of spam filtering and the ability to both check whether the filtered emails were spam and to decide what should constitute spam for their purposes;
  • Develop filtering tools that can be used by subscribers to control spam filtering;
  • Develop other spam-fighting tools that may be less privacy-intrusive;
  • Keep subscribers informed of their spam policy; and
  • Ensure the confidentiality of filtered emails.

Detecting content

The working party was less convinced of the legality of techniques allowing ESPs to screen and remove emails that contain predetermined content, such as pornography. It cited Yahoo!'s terms of service as an example of a provider that reserves a right to pre-screen for objectionable content.

"The email service provider is not under threat of being harmed and communications stopped because of the material contained in emails," explains the opinion. "Therefore, the scanning for the purpose of detecting this material is not legitimised on the email provider's need to safeguard the security of the service."

It was also concerned that such filtering gives ESPs the ability to censor private email communications - "raising fundamental questions of freedom of speech, expression and information."

To avoid breaching data protection rules in this area, said the working party, ESPs must either be authorised to screen content by national laws, or have the consent of service users. But while a service provider like Yahoo! can obtain the consent of its own customers in its terms and conditions, it will struggle to obtain consent from others who email its customers.

See:
Working Party Opinion (10-page/ 64KB PDF)
Didtheyreadit.com 
Slashdot commentary on didtheyreadit.com 

Copyright © 2006, OUT-LAW.com

OUT-LAW.COM is part of international law firm Pinsent Masons.

Next gen security for virtualised datacentres

More from The Register

next story
Kate Bush: Don't make me HAVE CONTACT with your iPHONE
Can't face sea of wobbling fondle implements. What happened to lighters, eh?
Video of US journalist 'beheading' pulled from social media
Yanked footage featured British-accented attacker and US journo James Foley
Caught red-handed: UK cops, PCSOs, specials behaving badly… on social media
No Mr Fuzz, don't ask a crime victim to be your pal on Facebook
Ballmer leaves Microsoft board to spend more time with his b-balls
From Clippy to Clippers: Hi, I see you're running an NBA team now ...
Online tat bazaar eBay coughs to YET ANOTHER outage
Web-based flea market struck dumb by size and scale of fail
Amazon takes swipe at PayPal, Square with card reader for mobes
Etailer plans to undercut rivals with low transaction fee offer
Assange™: Hey world, I'M STILL HERE, ignore that Snowden guy
Press conference: ME ME ME ME ME ME ME (cont'd pg 94)
Call of Duty daddy considers launching own movie studio
Activision Blizzard might like quality control of a CoD film
US regulators OK sale of IBM's x86 server biz to Lenovo
Now all that remains is for gov't offices to ban the boxes
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.