Did they read it?
The EU Working Party singled out the Did they read it?
service as an example of a new type of service. For avoidance of
doubt, this is not the 'read receipt' service with which users of
popular email software like Microsoft Outlook will be familiar,
which gives an external email recipient the opportunity to accept
or refuse the sender's request for an acknowledgement that the
email has been read.
Instead, the
service at didtheyreadit.com, from Florida-based Rampell Software,
LLC, offers no opportunity to accept or refuse the tracking. It
also provides additional details to senders: the date and time when
the email was opened; where, geographically, the email was opened;
for how long; and whether it was forwarded.
Subscribers who use Yahoo!, Hotmail or AOL email services
can simply add ".didtheyreadit.com" to the end of a recipient's
e-mail address to have an email tracked. Users of Outlook simply
download a piece of software to add the secret tracking
ability.
The independent Working Party, whose opinions are influential
but not binding, expressed "the strongest opposition" to such
services in a wider report on privacy issues related to the
provision of email screening services, describing the secret data
processing as “contradictory to the data protection principles
requiring loyalty and transparency in the collection of personal
data”.
Consent must be given. “No other legal grounds justify this
processing,” warns the Working Party.
The report also considers how virus detection, spam filtering
and processes used by ISPs and email service
providers (ESPs) to pre-determine content are impacted by rules
such as the European Convention on Human Rights, the Data
Protection Directive and the Privacy and Electronic Communications
Directive.
Virus scanning
In general, the Working Party finds that the ISP practice of
scanning emails to ensure that they do not contain known viruses is
justified by an obligation to take measures to safeguard the
security of services and to protect systems. However, it says that
ISPs must still make sure:
- That the content of emails and attachments are kept secret and
only disclosed to the intended recipient;
- That where a virus is found, there are sufficient
confidentiality guarantees on the installed software;
- That virus scans only analyse the content of emails for the
purpose of detecting viruses; and
- That they provide information on the screening.
Spam filtering
Similarly, the Working Party finds that the practice of
blacklisting or filtering spam is generally justified because
without it spam would jeopardise the ability of an ESP to provide
the email service at all.
However, it expresses concern that legitimate messages are
sometimes filtered out along with the spam – so called ‘false
positives’. This might be a breach of the rights to freedom of
speech and freedom of communications, according to the Opinion.
It recommends that ESPs:
- Give subscribers the chance to opt out of spam filtering and
the ability to both check whether the filtered emails were spam and
to decide what should constitute spam for their purposes;
- Develop filtering tools that can be used by subscribers to
control spam filtering;
- Develop other spam-fighting tools that may be less
privacy-intrusive;
- Keep subscribers informed of their spam policy; and
- Ensure the confidentiality of filtered emails.
Detecting content
The Working Party was less convinced of the legality of
techniques allowing ESPs to screen and remove emails that contain
predetermined content, such as pornography. It cited Yahoo!'s terms
of service as an example of a provider that reserves a right to
pre-screen for objectionable content.
“The email service provider is not under threat of being harmed
and communications stopped because of the material contained in
emails,” explains the Opinion. “Therefore, the scanning for the
purpose of detecting this material is not legitimised on the email
provider’s need to safeguard the security of the service.”
It was also concerned that such filtering gives ESPs the ability
to censor private email communications – "raising fundamental
questions of freedom of speech, expression and information."
To avoid breaching data protection rules in this area, said the
Working Party, ESPs must either be authorised to screen content by
national laws, or have the consent of service users. But while a
service provider like Yahoo! can obtain the consent of its own
customers in its terms and conditions, it will struggle to obtain
consent from others who email its customers.
