Tuesday, 10 September 2013

ICO being a tad strange still

Whilst not relevant for my court case in November, I asked ICO to consider adrian.kennard@aaisp.net.uk as an email in relation PECR. I pay A&A for email under aaisp.net.uk as an individual so I think the regulations apply. They do not.

Their latest reply:-

I can confirm that having reviewed your correspondence your email address adrian.kennard@aaisp.net.uk would still be deemed to be a corporate subscriber under the PECR. This is because you are using the email address in the workplace in your capacity as a Director of the organisation and not using it for individual purposes. Whilst the PECR do not mention specifically work email addresses it does refer to corporate and individual subscribers. Email addresses provided by employers to their employees, including Directors, are considered to be corporate for the purposes of the PECR.

Now really? This makes no sense. The PECR has actual definitions in it, and they are outright ignoring them! It defines "corporate subscriber" even and I do not meet that definition. So my latest reply is as follows. We'll see what they say...

P.S. just to clarify why I am doing this - this is about as extreme and edge case as I can find which, in my view, meets the regulations. I am trying to find exactly where the line is drawn on this. If the ICO agree this, then it makes the rules much clearer for everyone.
Relating to email address and services for adrian.kennard@aaisp.net.uk:-

1. Do the ICO agree that I meet the definition of "individual" as per
section 2 of the regulations?

“individual” means a living individual and includes an unincorporated
body of such individuals;

I believe I come under the "living individual" part of that, I have a
heart beat and everything, and would be worried if I do not.

2. Do the ICO agree that I meet the definition of "subscriber" as per
section 2 of the regulations?

“subscriber” means a person who is a party to a contract with a provider
of public electronic communications services for the supply of such
services;

I appreciated that is more complex, so lets break that down:-

2a. Do the ICO agree that I am a party to a contract for "such services"
for that email address?

If it helps, I can show you the invoice I pay every month for that.

2b. Do the ICO agree that the other party to that contract, Andrews &
Arnold Ltd, are a "provider of public electronic communications services"?

If not, then A&A get out of a hell of a lot of other laws and
regulations. OFCOM will not be amused.

Now, if you said "yes" to all of these, you have to agree:-

3. Do the ICO agree that, for the email address
adrian.kennard@aaisp.net.uk, I am meet the definition of "individual
subscriber"?

I look forward to some simple yes/no answers and will publish them on my
blog. If you say no, please explain, as I really cannot see the loophole
here no matter how hard I try.

Oh, finally, I nearly forgot:-

4. Do the ICO have to actually operate in accordance with the law as
written and actually use the definitions in the law?

19 comments:

  1. "Email addresses provided by employers to their employees, including Directors, are considered to be corporate for the purposes of the PECR."

    If that's really true, then any A&A employee that subscribes to A&A's services doesn't really have personal email addresses -- they're all corporate, which means as an employer you could legally review them, access their content, etc. But that doesn't pass the smell test.

    ReplyDelete
    Replies
    1. Good point, I'll email that to them

      Delete
  2. I have to say that this response seems truly bizarre. I have an email address that I've used for personal purposes since I first registered the domain back in pre-Nominet days. That has been my personal address through several employers, and I've deliberately maintained it separately to any workplace address. But recently, I registered a limited company in the same name as the domain. In future, that will become my main trading name. But I want to carry on using my personal address in what is now a corporate domain in the same way that I always have done.

    If the ICO are correct, that email address has now ceased to be an individual address because it's now owned by a company of which I am director. That's just ludicrous.

    ReplyDelete
  3. When the state fails to uphold it's own laws I guess the result is inevitable?

    http://www.theregister.co.uk/2005/07/26/russian_spammer_killed/

    ReplyDelete
  4. So, I have sent this now...
    Following your last reply, and my blog post on it, I have had some
    concerned queries from staff of Andrews & Arnold Ltd.

    Many of them buy services, including email, from A&A, some of which have
    domains and services that pre-date their employment with A&A. They have
    broadband and email as normal end users and individuals.

    We had assumed they were individual subscribers.

    They are worried that your statement means that, because they are
    employees, th email they use for personal use is no longer afforded the
    benefit of section 22 of the PECR.

    Are you really saying that email provided to employees is always
    considered to be "corporate subscribers"?

    This is causing some concern amongst the staff.

    I look forward to your reply clarifying this matter.

    ReplyDelete
  5. I had exactly this absurdity regarding university email addresses a few months ago; somehow, they decreed that a student - paying a university for a bundle of services which includes an email address - is not an individual. I wanted to ask them how a bundle of tuition+Net access+email service didn't qualify, and if this meant that my Virgin Media bundle of TV+phone+email was also excluded from "individual" status since it's also a bundle of which email is a small part...

    Unfortunately, that was a hypothetical, since the email address in question is my staff one, albeit indistinguishable from student ones. I should be starting a self-funded PhD at another nearby university soon though, which will get me a genuine student account being provided to me for a fee, complete with contract about not using it for spam or commercial purposes, which should give me standing to argue with the ICO over this.

    ReplyDelete
    Replies
    1. They explained that one to me - the uni do not provide electronic communications services to the *public*, only students, which is why you do not meet the "subscriber" definition. In my case my employer is an ISP, so it does meet the definitions.

      Delete
    2. I'm not at all convinced by ICO's reasoning that a university's customers are not "public" (why is buying tuition+email any different from buying TV+email?) - particularly in my case, since the university is also a licensed telco which provides some services to local businesses and sells the user accounts to non-staff/non-students as a service in itself, for about £10 per month. (Yes, there are some eligibility constraints - but most businesses have some requirements: credit check, banking status, etc; A&A's own Home::1 is not available to every potential customer either!) I don't pay the £10 fee - but for that matter, I'm not an employee or student there either; my employment contract ended four years ago, so the only legal framework in place is my agreement to abide by the terms and conditions of the user account for computing facilities.

      I'll get in touch with someone relevant and see if we can make sure we do qualify as serving the "public" (a few local businesses and a school might not quite be enough to force the ICO to concede) - the potential gains of getting the existing users stronger legal protection seem to be worth quite a bit of effort.

      The silver lining seems to be that as both my address and yours contain our names, they should be "personal identifiable information" for Data Protection purposes: even if the actual sending would be permissible, using the email address itself is restricted. If only PECR didn't try to make such an absurd distinction in the first place! Just prohibit UBE - whether the recipient pays the account costs personally or not.

      Delete
    3. That is a very good point - if the uni does provide email services to the public as well as students, that seems to be valid to me. We had a long debate on irc last night on this and one of my own staff was adamant that he should group the services offered in some way (I think it comes from "such services" in the "subscriber" definition), and he was trying to group them by domain, arguing that as A&A don't offer the public email addresses ending @aaisp.net.uk then, for adrian.kennard@aaisp.net.uk you have to consider A&A not to be a public provider. I was having trouble finding why he invented this "group by domain name" logic, or how that would work for every A&A individual email customer who each get a whole domain exclusively such as kennard.me.uk. If the ICO group "services to students" and said these are not public services, it would be the same lack of logic.

      Delete
  6. Latest idea to then:-

    Sorry to bombard you with questions on this.

    This is one as A&A, an ISP. We provide email to lots of companies, e.g. we may provide some email under somedomain.co.uk to a business. We provide email addresses under that domain in mail boxes used by their staff.

    Obviously this is not covered by section 22 of PECR. We are contracting with a corporate entity for email, us being an ISP. No question that the subscriber is a corporate subscriber.

    However, in light of the PECR, we are considering offering a service where, for some nominal sum, we provide individual email addresses under customers domains, e.g. fred@somedomain.co.uk, directly by contract between us and that customers employee, e.g. Fred Bloggs.

    The technical aspects would be the same, a mailbox on our IMAP server. The domain would be owned by the customer/company, but would would contract with the individual for the email on the specific email address.

    Obviously the email address would be used for work purposes, but following the definitions in the regulations, even with your special interpretation that email provided by a company to employees is corporate, this would still be a case of "individual subscriber". It would not be the employer providing the email, it would be us as an ISP providing it, by contract with the individual.

    This would allow all of a customers business email addresses to come under section 22 of PECR.

    Do you agree?

    If so, we'll work on launching such a service ASAP.

    ReplyDelete
  7. It's sad to see how sloppy the ICO are with their wording; they, of all people, should know better. But I shouldn't think the idea of someone being both an employee and a customer has ever occurred to them (after all, *they* don't have any separate agreements with the ICO, and every other employee in the country must be just like them, surely?)

    If only they had written "Email addresses provided by employers to their employees as part of that employment" there would be much less scope for disagreement (especially if they had added "rather than under any other private contracts that employees may have as customers of their employers").

    But with their unthinking choice of words, they have opened a can of worms that didn't even exist beforehand. And these people are in charge of interpreting laws... sigh.

    ReplyDelete
  8. This makes for a good read - the ICO has just published it. In particular, what they think constitutes "opting in" is worth looking at (and it all seems surprisingly reasonable):
    http://www.ico.org.uk/for_organisations/guidance_index/~/media/documents/library/Privacy_and_electronic/Practical_application/direct-marketing-guidance.pdf

    ReplyDelete
  9. Here is a simple solution.

    If you are sending Direct Marketing emails then you should add an X-DM header - this could be agreed and standardised and would not even have to be mandated by the ICO.

    Those of us (99.999%?) who don't want spam just set our servers to delete them and the rest can have them.

    If you don't have an X-DM header then you are looking at a much higher burden of proof to show that the mail was requested by the sendee and the courts can take an accordingly dim view of transgressions.

    Could it work?

    ReplyDelete
    Replies
    1. You would need it to be mandated by the ICO, because you would clearly need someone to take enforcement action when companies ignored the standard. And people would, inevitably, ignore it because:

      1. People are incompetent and wouldn't bother to implement it (hell, probably wouldn't even know about it - we know how many people completely ignore RFCs and cause a nightmare for protocol interoperability already; and we know that a lot of companies don't seem to be aware of stuff that _is_ regulated, such as TPS, anti-spam legislation and the DPA).
      2. It would rapidly become impossible to send mail with the X-DM header to anyone, because all the off-the-shelf antispam systems would immediately add it to their antispam rules. So the only "solution" for the marketers is to not use the header. We've seen this with popup blockers on browsers - when people started blocking popups, the marketers switched to floating HTML elements within the pages instead.

      Delete
    2. With the greatest of respect to the ICO, they seem to want to enforce diddly-squat. Hence the reason I am taking a phone spammer to court myself to recover costs rather than hope and pray that the ICO would even bother to raise a finger to help me (let alone recover any costs for me).

      Delete
  10. My latest email to them...




    I appreciate you have had a lot of emails from me on this matter, but
    given that your rules are not the same as those in the PECR, it does
    take a lot of clarification. Are the rules you work to actually written
    down anywhere so I can work out the answers without asking you each time?

    Anyway, one more question...

    If Andrews & Arnold Ltd contract someone else to manage the email for
    @aaisp.net.uk, and that company (an ISP, so a provider of public
    electronic communications services) contracts with A&A for generic mail
    addresses like sales@aaisp.net.uk, but also contracts with individual
    A&A staff for the provision of the email services for specific staff
    email addresses. i.e. they contract with me personally for
    adrian.kennard@aaisp.net.uk email; and I am not an employee, director,
    or shareholder of that other company; Does that make me an "individual
    subscriber" for the purposes of the regulations in relation to
    adrian.kennard@aaisp.net.uk?

    i.e. are your special rules that ignore the PECR definitions only for
    "employees, even directors" as you seem to suggest?

    I look forward to your reply. If it does, then we will arrange this with
    another ISP as soon as possible. I would really like my staff to benefit
    from section 22 protections if possible.

    Regards.

    ReplyDelete
  11. I've just realised I'm stuffed, then.

    I personally own my own domain and personally run my own SMTP server.

    Therefore I don't subscribe to anyone for email, as an individual or otherwise...

    ReplyDelete
  12. The only problem I can see from this (skimming the lengthy thread so excuse me if I've missed an obvious point) ... .uk rules for the assignment of a net.uk domain name are quite clear " Internet Service Providers' infrastructure"

    So if it was an address other then net.uk I could see an argument, but being a net.uk address which cannot be assigned to end users / customers, this would indicate you are emailing from a corporate / business account

    ReplyDelete
    Replies
    1. Indeed, and lengthly debate on irc on this. There are Nominet rules for net.uk which cover usage, not actually contracts. It is quite possible to use a net.uk email address for business use, but do so by means of contracts that are with the individual staff members involved. But that is beside the point anyway as Nominet rules have no bearing on the wording of the PECR. As I say, it is probably about the most "edge case" I can come up with.

      Delete