Feedback loops sent to third parties tend to have PII stripped. Based on a definition of PII that does not regard IP addresses as personal data. <div class="gmail_quote">On Jul 26, 2012 11:05 PM, "Alessandro Vesely" <<a href="mailto:vesely@tana.it">vesely@tana.it</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> On Thu 26/Jul/2012 18:37:55 +0200 Tobias Knecht wrote: >> In the words of RFC 6650: > > Don't get me wrong, this rfc is a good one an clarifies some things, > but it is written by Americans under their understanding of US law. IMHO, it is not so much being Americans or whatever, as being versed on legal points of view. > Some things that are mentioned are not possible under European > Jurisdiction. For example providing Feedbackloops is especially in > Germany a very critical task. Is it? I guess in Italy we have more or less the same European directives. So long as the user is clearly informed about what data is being sent to who, and grants her/his consent to that, it should be legal to do FBLs. Yet, IANAL. The best thing, IMHO, would be do gather users' consent on the first time they hit a "This is Spam" button. At the same time, give them the option to redact their email address in the header. (See <a href="http://tools.ietf.org/html/rfc6590" target="_blank">http://tools.ietf.org/html/rfc6590</a> ). > So rfc 6650 is good but unfortunately does not fit all use and legal > cases. We need to clear up this issue. Googling for that I find that ETIS, which is based in Europe, has an "Anti SPAM Co-operation Group" that "is also working on an anti-spam feedback loop project." (Quotes from <a href="http://etis.org/groups/anti-spam-task-force" target="_blank">http://etis.org/groups/anti-spam-task-force</a> ). I'd guess you know them; they have a meeting on next Oktoberfest... Would they cover those legal concerns? A recurring objection in the acm-tf was that RIPE handles just a region, and therefore we'd need anti-abuse practices to be specified by some global body such as the IETF. Now we have it. We should use it as we use SMTP. And the fact that our law is better than theirs should be an aid, not a hindrance! > In addition to that, I do not have any problem in single persons > reporting abuse incidents as long as they are useful. And even people > in the registration business sometimes do not know how to report > correctly, which is not bad it's just that they haven never done it > before and need somebody/something that guides them through, which > should be one of the next tasks for this community to define. Very much agreed. We need to exchange scripts and ideas. </blockquote></div>