Am Mittwoch, den 19.12.2007, 16:11 +0000 schrieb Ian Eiloart: [...] > I understand that the situation is difficult in Germany, but you're really > not allowed to reject spam? What if you're subject to a denial of service > attack? Are you allowed to switch your servers off? Short answer: it depends. ;-) If I were under attack I would have lots of liberties in handling that precise situation. But of course that's not the normal situation.
Imagine a new corporation in Germany which releases an email-policy right away, which clearly states that e-mail is to be used for business-purposes only. That would be a perfect situation and the company would be free to do almost anything about spam. I suppose it could even delete incoming messages suppposed to be spam, it would be nasty but probably legal. Non-spam-e-mail-issues would be easy and legal too. For example, if an employee had an accident, someone replacement person might be granted access to the mailbox. Now forget the perfect world.... Imagine a corporation using e-mail for several years and no one considered it to be nessessary to release some e-mail-regulation. Then the employees might start sending and receiving private e-mail with their company mailbox. If nobody does anything about it, private use of company mailboxes will turn to "corporate practise" (a bad translation of the German term "betriebliche Übung"). That would be considered "worst case". If there is a corporate practise, it is a privilege of the staff and you can't get rid of it easily. One could try to negotiate with the staff association, but they wouldn't like it. Even if you reach a corporate agreement with the staff association, it might not be enough to get rid of the corporate practise. You might even need "dismissal with the option of altered conditions of employment" with all your employees. I'm afraid this might be the "normal" situation. It has some bad side-effects, e.g. a mailbox might contain private data, so if an employee had an accident, you would not be allowed to grant access to the mailbox to a replacement person. Cool, isn't it? And of course, since the mail your filter considers to be spam might be a private message, you might need the (written) consent of each employee to do something about spam. You might even be considered to offer e-mail-services which might lead to the duty of data-retention for six month under EU-regulations... the law is still warm and not yet active, but I talked to a lawyer who believes this might happen. It is a matter of interpreation, so we will have to wait for the first decisions at court. The last example: consider an university. Lots of employees who started using their university mailboxes for private purposes ages ago. Some regulations which have been updated to include "email is for university purposes (education, research,...) only" recently. Thousands of students, half of them started with the old regulations, the others with the new regulations. The employees have a staff association to represent them, but their is no one representing the students.... Of course there are students employed by the university to do some small jobs, so they are both employee and student. And some people neither employee nor student have e-mail-addresses at the university, for example research-partners cooperating in special projects. Now add some more complications to get a little taste of my world. ;-) Oh, and by the way: of course there is "sparingness of data-collection" as a base-principle of privacy. So you are allowed to keep logs only if you can justify that you need them. If you don't do accounting of each e-mail you are not allowed to keep logs. If there is a problem you can activate logging temporarily to solve the problem, but you can't argue "e-mail is a problem by desing" and activate logging permanently. Not if you follow the law to the letter. Some lawyers consider it to be acceptable to keep logs for up to five workdays, some would even accept seven days. But so far no court actually had to decide such an issue, so that is just speculation. The message got longer than I wanted an I did consider not sending it to exim-users but privately to Ian, but I considered it to nessessary to correct Jans statement regarding Ians question on the list. -- CU, Patrick.
smime.p7s
Description: S/MIME cryptographic signature
-- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
