2019-02-15

When is an email address not an email address?

I just saw an interesting tweet...
This case hinges on what is an email address. The key issue was that someone mistyped their email address on a form, leaving out a dot in the local part and hence did not get an email that was sent. The email did not bounce (which is not that uncommon), so the sender has no way to know the email address was not right.

The judgement is odd to me, it is that it is not in fact an email address if it is not valid. i.e.
I have come to the view that the expression “an email address” means an actual email address and not, as here, an address that has never been set up or registered to any user or users.
So, to be an email address, it has to be set up or registered to a user, whatever that means!

This raises all sorts of questions. What does set up, or registered even mean even? Who has the authority to say if an email address is registered to someone - where is this register kept? What if the email is registered to someone else, i.e. it is not the email address that was intended?

This does, however, raise a huge issue with both judgements like this and legislation like the PECR (The Privacy and Electronic Communications (EC Directive) Regulations 2003). In both cases there is a big issue which seems to have been missed - how does someone determine what they have? How does one actually apply the law/ruling in practice?

In this judgement, how does the sender know if the email address is an email address where the test is whether it is set up, or registered to any user (not even to the intended user). There is no test for that, and no way for the sender to know. They cannot rely on "does the email bounce?" as in this case the email did not, and that was not good enough.

In the PECR there is a test of whether the email address is for an individual subscriber. This too is defined, but it depends on the way the subscriber contracts for the communication service. This is something that the sender has no way to tell, but it changes whether they can send an email without being in breach of the regulations. Essentially the PECR only works if the sender has to assume every possible email address may be of an individual, so is not valid for unsolicited marketing. They have no way to know, meaning ALL emails are in scope and should not be sent (if unsolicited marketing emails). If that was the intention of the law, then why not say that - why create the illusion in the law that sending to commercial subscribers is OK when there is no test a sender can apply in order to comply. Either that of the sender has a defence that they could not know, and so the law is effectively useless. Basically the law is bad law as those that need to follow it have no way to reliably do so.

In this judgement there is a similar issue - the party sending the email needs to know they have an email address or not as it changes what they do and what timescales things have. They have no test they can apply to determine if what looks like an email address is in fact an email address based on this judgement.

Indeed, as warned in the case, the intended recipient of the email can game the system by providing an email they know to be invalid but which does not bounce.

You also have the question of when the email is valid. Is it set up, or registered to a user when supplied, or when the email was sent? Anyone with a domain can decide if and when an email is valid on a whim as they require.

And then there are wildcard domains, which some people have, and emails using wildcards and pattern matches. None of these (as complete email addresses) are registered to a user so does that mean all such email addresses are now invalid, and not an email address under law?

Shame...
Update...

After a bit more discussion, I still feel quite strongly this is just wrong.  The wording is :-
(3)  An early conciliation certificate will be deemed received—
(a)  if sent by email, on the day it is sent; or
To me, this makes it pretty clear that the sender has done their job if they send an email (to the address notified to them). This is pretty common wording for email and post, and it means that if the person providing the address makes a mistake, then that is their problem. The sender is expected to send to the address notified - there is not any more you can expect from them, and it is not their fault if the address turns out to be wrongly provided to them, and also not their fault if the delivery system (post, or email) does not get it to the recipient.

The wording could have been something that requires the recipient to have actually received the notice/certificate. I have seen things like that. That would put the onus on the sender to somehow check the recipient has got it, and make the sender responsible for correct addressing and delivery. But that is not the wording in this case. To me, this means a typo is the problem of the person that makes the typo.

The ruling could have said a typo is the problem of the person making the typo, with possible exception that something that is obviously not an email address should be spotted by the sender (i.e. just has to have the appearance of an email address, or meet the internet standards). The ruling could have said this is all down to communicating, and the email has to actually be the correct one for the recipient, and if the email does not get to them, it is not "deemed received".

To me, the whole point of "deeming" it received is because actual receipt is not the senders problem. If the law as that it actually has to be received, by the right person, it would not need a clause on "deeming" it so.

The actual ruling is in the middle. It says that it is not "an email address" even if it "looks like one" if not "set up" or "registered to a user". So a typo is the problem of the person making the typo if and only if their typo ends up being a valid email address. But if their typo makes an email that is not a valid email address it is the problem of the sender (who has no way to tell there was a typo), even if the mistyped email has a valid domain with MX record and email correctly goes to that server.

Surely the judge should have clearly decided - "whose responsibility is it if a typo is made?" Having decided that, one way or the other, he could make a ruling on whether this is an email address or not. This ruling does not actually answer that.

This comment muddies the water even more :-
Since the object of the Form is to enable communication, the intention must have been to solicit an email address that could be used to send the certificate. If so the phrase must mean an actual email address.  That is what the request on the form sought. I find it difficult to accept that Parliament intended the words “an email address” to include invalid addresses that could not be recognised as an email address by a server and forwarded.
But the email address was one that could be "recognised and forwarded" as the domain part was not mistyped, so the mail could be sent to the correct MX record. This is the same as sending a letter to a postal address. What happens then is down to name or department written on the letter, but it has been delivered to the "address" by the postal service.

3 comments:

  1. Send an email to the address, asking the user to click a link (or reply) to prove they got it, and that they are the person who requested it.

    Now you either have a working email address or someone committing fraud.

    ReplyDelete
    Replies
    1. Back to the recipient having power to ignore it, same as power to deliberately give diff address. Then idea is sender has issued the notice by sending an email.

      Delete
  2. 𓂺 (Cockburn - pronounced "Coburn")Tuesday, 19 February 2019 at 13:12:00 GMT

    A "registered email address" hey.

    People do love the idea of central control and authority of everything, don't they.

    "I'm sorry sir, your email address isn't on our register so it's not an officially authorised email".

    Seems to go against everything that the web was built on.

    ReplyDelete

Comments are moderated purely to filter out obvious spam, but it means they may not show immediately.