> The first paragraph of 9.3. Privacy considerations is overly > restrictive. If the recipient provided an e-mail for a specific > purpose and the sender uses it for unauthorized purposes, then it is > spam and should be reported as such. Example: an e-mail address > provided to a car dealer strictly for service updates that is used for > marketing. In such cases there is an involvement but there is not > permission for the specific messages.
Shmuel is absolutely right, and I think that first paragraph should be re-thought and re-formulated. A few thoughts on that: 1. Replacing the recipient's email address with an opaque token is reasonable advice. 2. But if the token is the same every time, so that the side processing the abuse reports can correlate different spam messages reported by the same user, that's a privacy leak. We've seen how "anonymized" search information can be used to identify the individual, and there are other effects here as well. 3. It's not valid to assume that the recipient has no relationship to the spam sender, and there might very well be privacy issues involved with associating the sender to the recipient. There are many ways in which one can have an established relationship with someone without having given them permission to send marketing (or other) email. Let's do some re-thinking here. Barry, as participant (but my chair hat is very near) _______________________________________________ marf mailing list [email protected] https://www.ietf.org/mailman/listinfo/marf
