[anti-abuse-wg] Legal concerns, was Manual vs automated reports

On Sun 29/Jul/2012 09:47:52 -0700 Tobias Knecht wrote:
> 
> That would mean that the a user has to click 50 times the spam
> button, than 50 times "Yes I want to report this message!" and than
> 50 times "I'm okay that this message will be sent to X!"

And that, of course, does not leave you anything that a court would
consider a proof that consent was granted.  For contractual issues, I
see telcos hire call-center staff in order to ask for user's consent
at the phone, taping a formal question-and-answer sequence that can be
kept as a proof.

> We first need to find a simple for end users secure way to report that
> does not destroy the usability and the trust and than come up with
> solutions.

Exactly!  I'm not sure to what extent can OAuth or OpenID provide
useful techniques.  There seems to be an original sin in privacy
practices, whereby anything Internet-related is assumed to be evil.
There are no established protocols to grant consent through the net.

>> We need to clear up this issue.  Googling for that I find that ETIS,
>> which is based in Europe, has an "Anti SPAM Co-operation Group" that
>> "is also working on an anti-spam feedback loop project."  (Quotes from
>> http://etis.org/groups/anti-spam-task-force ).  I'd guess you know
>> them; they have a meeting on next Oktoberfest...  Would they cover
>> those legal concerns?
> 
> Yes ETIS is exactly working on these legal issues, but imho have not
> found a way around it. The project that is ongoing there has nothing
> to do with user feedback. It's about spamtrap data provided by the
> ETIS members. I'll be probably at the next ETIS meeting in Munich and
> hopefully can help to take some next steps.

I wrote them, but got no answer yet.  I'd be happy to participate as
well, if it helps.

> We have an IETF specification, but this does not stand over the law.
> We can specify as much as we want, if this is not a within the legal
> framework we can't use it. And that is exactly what I mean, the rfc
> you mention does not take in account that European legal system is
> opt-in and not opt-out. Same on the different direction. Most ESPs in
> the US don't care about opt-ins which is legally recommended in Europe.

Hm... yeah, something.  Americans have their own conundrums, such as
patents.  Those legal hypes seem to be rather related to temporary
idiosyncrasies originating from a particular case, than applications
of a general, uniform logic.

For example, SMTP-forwarding is obviously incompatible with privacy,
but nobody seems to be concerned about how many times users must
confirm that they want to receive a commercial newsletter.  Instead,
lawyers argue that the mere presence of an email address in a publicly
(or privately) accessible list may imply its owner's consent.

By a similarly opportunistic argument, sending a message back to one
of the entities who relayed it should imply no leak of information,
since that data is already known to the relay.  It has to be attached
as a means of identifying it.

If laws can be interpreted, it is not acceptable that interpretations
only favor spammers :-/

> This is a basic difference between the US and Europe which can not be
> ironed onto the same level. The outcome must be the same, but the way
> to this will be different.

Yes, I'd hope that users signalling messages to European ISPs can be
better informed of what such signal means, w.r.t. American users.