If federated nodes have to mutually verify each others' compliance, then every email server in the EU is breaking the law.
Presumably the reason email servers can operate legally is that the sender of each email is deemed to be the data controller or is otherwise giving explicit consent to their private data being sent to each recipient's mail provider.
Social networking is roughly equivalent to the sending of emails BCCed to everyone in your address book. In the case of something like Twitter-style microblogging, the GDPR is even less relevant since the user is deliberately trying to make information publicly available.
Please state the relevant law that it'd be breaking, I'm genuinely curious. Compliance tools are built into most cloud and enterprise offerings that allow this. Do you not have experience of enterprise/cloud email offerings?
an interesting analogy: 1-to-1 email used to be considered private. actually, a lot of people still use it with an expectation of privacy (see: password resets sent over email, politicians regularly having their incriminating emails leaked, or good ol’ personal correspondence). but technically it’s never been all that private: most SMTP servers don’t mandate SSL, and even with SSL most email remains readable and indexed by Google.
i have no problem when the people i intended to reach save and index my email. yet i think i’m reasonable in being upset whenever i discover a new party i didn’t know/expect is doing it (e.g. NSA).
SMTP sniffing, SNI sniffing, DNS sniffing: these are all instances where ingesting “openly available” data is beneficial to the party doing it but costly to me (it limits my ability to speak freely with a consenting party without consequence).
fediverse is clearly split on this. some people have expectations based more in personal correspondence, and don’t want to end up in the same situation as email where the adversarial relations and negative externalities are just de-facto/accepted. others have expectations based in mass-media, where the further your comms travel the better. but for most users, they use the protocol for a mix of both, and that makes for a messy and difficult to reason about situation.
some of this is solvable with protocol upgrades. but that’s going to take a lot of time, and it’s not clear that every social norm even can be enforced technically.
>When you let someone else handle your email, they own your email. There is no postal secrecy law, no rule against reading. They can touch, modify or delete according to their whims. It's their email now.
In Germany, email is actually protected by the Fernmeldegeheimnis [1], even while the email is saved on the provider's server. The reasoning behind that [2] seems to be that the mail server's storage is part of the communication process, no matter how long the data sits there.
Privacy is also meant to protect you from the state, or more specifically state abuse. It's an essential aspect of privacy.
Like privacy is also meant to e.g. not disclose topics you have communicated about so that it can't be abused against you. For example there is a long history of states persecuting people for idk. being gay, believing in a certain religion or being a journalist which was involved in a unpleasant disclosure.
Still privacy and anonymity are two tightly related but different things. Mainly privacy of communication doesn't always imply anonymity, through sometimes does (and has too!).
Anyway it is foolish and somewhat strange to believe that a legally operating email service will protect you against judge backed lawful orders (no matter if it should be lawful or not).
Handing out metadata isn't even the worst which can happen, e.g. a judge might order them to make copies of unencrypted mails you receive or make copies of unencrypted mails you write or even undermine your encryption the next time you login.
They can try to dispute it and that alone does reduce abuse potential (if they operate in a place which still can be called a state of law) in the end especially for mail there is just no true privacy and even less anonymity.
Which doesn't mean their service is useless.
Just if you worry about political prosecution by EU countries, or do crime it's not protecting you.
>though in the EU they have to provide notice of that monitoring
There is an interesting exception; if private usage of your work mail account is banned, it should not contain private data and therefore, it's free to be monitored. Same for internet usage. This is usually coded into your contract when you sign.
In EU private messages are protected, companies can't just read through your entire mailbox as you have a reasonable expectation of privacy. Of course they can read it if they have a good reason: e.g. you're leaking information to the competitor, but you can't just read random emails between an employee and their spouse for no reason.
As someone who ran a significant email service for several years and dealt with many variations of discovery requests, no it isn’t.
Nobody said that you need to run a mail server, just keep your data in your possession.
If you are worried about privacy with respect to your data, you only have limited protection for 180 days if it is on the providers server. (See Stored Communications Act)
In the US, the 4th amendment ensures that you are “secure in their persons, houses, papers, and effects”. But when you put your papers or effects in the hands of a third party who isn’t your attorney, you lose much of those rights.
GMail IMO is the most honest of these services, as they are very clear that your privacy is limited in scope. Fastmail, Protonmail, etc imply things that are not as meaningful as one may think.
This is a big difference between Europe and US. I think different European countries require different levels of strictness -- it may be employer isn't allowed to even track who are the correspondents, let alone reading the email contents.
The whole point is that "your" logs contain personal data about others. That data is theirs not yours. Moreover if you get asked about "your" logs by the US government you have to hand "their" data over to them, for which there is no legal recourse for the person owning the data.
To make this more obvious, the EU is essentially saying that you can create a post service that routes all their letters through the US where they can be opened by the FBI, without any legal recourse.
I'm always amazed how people (even very technical) argue that things are perfectly fine for electronic data when they would completely oppose the same thing for physical things, e.g. letters. I guess years of propaganda have worked
Aren't emails subject to the legal definition of private correspondence and therefore protected from this kind of behaviour? (I believe this is the case in France, Italy, Spain or Germany)
Email is an open protocol. If I send an email that's illegal, say death threats or child porn, the government can put me in jail. There doesn't need to be a single controlling entity for that to work.
The process of doing that involves investigation, subpoenas, and warrants, and is subject to laws created in a more or less democratic process. No part of it requires anyone to prevent me from sending illegal emails, just an apparatus to punish me if I do.
Of course the right to privacy applies to children as well, and to messaging in school between peers, just like in civilized jurisdictions it's illegal for employers to read read email between employees.
If you use a Comcast email address -- is it ok for them to scan emails you send to your friends, and quietly delete them if they contain links to newspapers they don't approve of?
This would be illegal under net neutrality, and is identical to what Twitter and Facebook are doing regularly.
Protected, yes, enforceable, not really. You are talking about a reactive stance where regulation will protect black box systems that you have no control over. That's just not possible. You can, and should, have regulation to protect the weaker classes, but hoping that it is really enough is naive. The whole point of open and federated protocols like email is to avoid lock-in. So if a large government or a bank cannot host email, that's a deficiency that they should remedy first.
I imagine they have to conform to those laws for their email service. And, given that they're a big company with plenty of lawyers, I have no doubt they are. However, this probably changes nothing about the core product.
> Although it does not generally prohibit such monitoring, it sets high thresholds for its justification
The article doesn't give details as to which thresholds the ruling sets, though.
I guess they might be an improvement over Romanian law for example, but below French law (and probably other EU countries as well) where what is sent or received on nominative work email addresses is private communication and can not be monitored.
I'm aware. It's the principle of the thing that bothers me. I'd love to do business with Fastmail but I don't want my communications flowing through a surveillance state that has no due process.
Presumably the reason email servers can operate legally is that the sender of each email is deemed to be the data controller or is otherwise giving explicit consent to their private data being sent to each recipient's mail provider.
Social networking is roughly equivalent to the sending of emails BCCed to everyone in your address book. In the case of something like Twitter-style microblogging, the GDPR is even less relevant since the user is deliberately trying to make information publicly available.
reply