[Gllug] Re: www.spews.org - spamming blacklist

Mike Brodbelt mike at coruscant.demon.co.uk
Wed Jun 4 01:34:32 UTC 2003 

On Tue, 2003-06-03 at 13:19, itsbruce at uklinux.net wrote:
> On Tue, Jun 03, 2003 at 12:52:12PM +0100, Jason Clifford wrote:
> > On Tue, 3 Jun 2003 itsbruce at uklinux.net wrote:
> > 
> > > If a spamfilter neither keeps separate copies of the e-mails nor logs
> > > their contents then I don't see how it could be considered a privacy
> > > violation any more than the local delivery process, especially if it
> > > only adds message headers to indicate the likely spam level.  If that's
> > > a privacy violation, so are the Received: headers.
> > 
> > It may be a privacy violation due to the fact that it operates on the 
> > content of the message.
> > 
> > The Received headers are SMTP headers and adding them does not requiring 
> > any scanning of the message content.
> 
> As Tethys pointed out, they are no such thing.  They are informational
> headers added to the message body.

Technically, you're right. Legally, you're wrong :-(. The headers of a
mail (as opposed to the content and the envelope) are legally considered
traffic data, the content of the body is not. It's legal to process
traffic data for delivery - it's not legal to process content.

>   At work I have spamassassin set up
> to add spam-level headers and make no other changes to the message
> contents.

You, as the employer, act as a service provider. It's OK for you to do
this as you own the network. You have way more power than an ISP, as you
own the machines, and the users could be argued not to have the same
expectation of privacy. It's very much a grey area with no case law
though.

>   Individual users can then have rules that act on these
> headers.  This is no more tampering with the message than the Received
> header.
> 
> The message body is not the same thing as the message content,
> a distinction that may not yet have been tested in court but should be
> easy enough to establish should it ever come to it.

SpamAssassin processes the message content with regexes (even though it
doesn't alter it), so definitely falls the wrong side of the line. To
turn it on within a company is almost certainly OK - I use it as well.
To turn it on at an ISP is almost certainly not OK - processing (even
without human intervention) of the content without explicit permission
from the user is a no-no.

The law has not been drafted terribly well here, but that's the way it
is...

Mike.



-- 
Gllug mailing list  -  Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug

More information about the GLLUG mailing list