5x12 pentomino tiling
«

Retaining Mail Traffic

 »

The following is my response to the Government consultation on ISPs being required to retain details of every email sent.

Dear Sir

I have read your consultation paper and have some thoughts to share.

My company develops web sites and provides other Net related services to charities and other not-for-profits and I'm concerned about the implications of this document for us and for our hosting providers Bytemark (who I've CCed although I suspect they're already thinking about this themselves).

I'm concerned that the document is making rather naive assumptions about how email is sent: that the sender connects to their ISP and sends email over SMTP through the ISP's mail servers. So the ISP will be responsible for logging each email on their outgoing SMTP server.

That's not how it always works. Here's two real life cases that apply to us:

Our Own Email

We send our own email through our SMTP server located here, directly to the recipient's mail server. So it doesn't pass through our ISPs' (we have two, one primary and one backup) mail servers. For us to log our own outgoing mail traffic would seem both onerous and pointless, as if we were engaged in criminal activity we would simply fake the logs.

The only way I can see around this is to require ISPs to intercept all outgoing SMTP traffic.

Mail Sent Via WebMail

We currently have a customer who has an extranet server which we rent from Bytemark. The customer's employees log into the server via the Web and send mail via a webmail interface. So mail originates on that server and is again is delivered directly to the recipient, not through any ISP's outgoing SMTP server.

In that scenario who is going to be responsible for logging the outgoing email under the directive? I can see five possibilities:

  • the customer, as it's their employees using the server
  • us as we're the people renting the server
  • Bytemark as they actually own the server
  • whoever owns the rack in which the server sits
  • whoever owns the facility in which the rack is located

The directive needs to be clear who it is as it is imposing a legal burden on people to do so.

Avoiding the Directive

Finally it's worth mentioning that there is a fundamental problem with all of this.

If you are a criminal, or indeed if you just value your privacy, this directive will be easy to avoid: simply rent a cheap server outside the EU (and the US too I suspect), set up a VPN to it, and then route your outgoing email through the VPN.

Even if you insist that ISPs log outgoing SMTP traffic they can't do anything useful about VPN traffic as it's encrypted and they can deduce nothing very useful about its content.

Regards
Paul Oldham
http://www.the-hug.co.uk

Tags: internet, national politics Written 12/09/08

Comment on this article

« »
I am currently reading:

Beautiful Lives: How We Got Learning Disabilities So Wrong by Stephen Unwin Dead Water by Ann Cleeves

(?)
Word of the Day:
pelters