search

nextcloud / mail

đź’Ś Mail app for Nextcloud
https://apps.nextcloud.com/apps/mail
GNU Affero General Public License v3.0
852 stars 263 forks source link

Is the MailApp compliant with data protection regulations? #10197

Open Bad-and-Mad opened 2 months ago

Bad-and-Mad commented 2 months ago

Is your feature request related to a problem? Please describe.

In my opinion, the Nextcloud MailApp violates the European General Data Protection Regulation (GDPR), the app manipulates emails by default through automatic tagging. This function should be switched off by default and should only be switched on by active user action. Changing digital content without the user's consent, even if it is only the header of the email, cannot be compliant with data protection regulations. Consent was also not given by installing the app, as there is no explicit reference to the automatic classification of emails. Of course, the user can deactivate the function, but in my 0pinion the violation is based on the default activation.

Describe the solution you'd like

No response

Describe alternatives you've considered

No response

Additional context

No response

ChristophWurst commented 1 month ago

I'll clarify! Thanks for the feedback!

ChristophWurst commented 1 month ago

Consent was also not given by installing the app, as there is no explicit reference to the automatic classification of emails. Of course, the user can deactivate the function, but in my 0pinion the violation is based on the default activation.

I agree that we are lacking in this area. It's probably best if we add a notice to the setup screen for when users add a new account. Either offer an opt-out in place or make it very clear where they can find the existing opt-out setting. And for admins using the provisioning setting we should do the same.

We are hesitant making the feature opt-in, because our goal is to improve the user experience with it. The processing itself is not a problem for regulations AFAIK because we only use the local data for training and the training result stays local. The data will never be shared with anyone else.

@Bad-and-Mad does this make sense? I have to admit that I'm not an expert in this area so I appreciate your input!

Bad-and-Mad commented 1 month ago

Consent was also not given by installing the app, as there is no explicit reference to the automatic classification of emails. Of course, the user can deactivate the function, but in my 0pinion the violation is based on the default activation.

I agree that we are lacking in this area. It's probably best if we add a notice to the setup screen for when users add a new account. Either offer an opt-out in place or make it very clear where they can find the existing opt-out setting. And for admins using the provisioning setting we should do the same.

We are hesitant making the feature opt-in, because our goal is to improve the user experience with it. The processing itself is not a problem for regulations AFAIK because we only use the local data for training and the training result stays local. The data will never be shared with anyone else.

@Bad-and-Mad does this make sense? I have to admit that I'm not an expert in this area so I appreciate your input!

In my opinion, it can only be solved properly, comprehensibly and correctly via the OPT-IN variant.

Improving the user experience cannot be a criterion for circumventing data protection regulations. Any website operator could then use this as a justification for setting cookies that go beyond what is technically necessary. Here too, only the OPT-IN variant is legally secure.

I also do not believe that the statement that only data is changed locally is correct. For example, automatic tagging permanently changes emails on external IMAP servers. However, these changes are not technically necessary and therefore - in my opinion - require the user's consent before these changes are made.

Automatically classifying an email as important or similar can be a useful capability of an app. However, this capability is not technically necessary, such as recording the transport route of an email in its header (received header fields).

mritzmann commented 1 month ago

even if it is only the header of the email

I have not set up AI on my NC. However, when I tag manually, no mail header is changed. The email itself remains in its original state, also on the IMAP server. The feature, RFC 5464 if I see it correctly, does not change the original file but the IMAP server keeps a separate database for meta data (at least the IMAP server Dovecot does this that way). I'm not sure how GPDR works, but the emails themselves remain in their original state.

Steps to reproduce:

  1. Download email inkl. header
  2. Tag an email in Nextcloud
  3. Download email inkl. header and diff both files
  4. Nothing has changed

Would have to be verified, but I think other clients als set labels without consens. For example: The auto enabled build-in spam feature of Thunderbird sets a junk label if an e-mail (with a local algorithm, keyword: Naive Bayes spam filtering) is recognised as spam.

Bad-and-Mad commented 1 month ago

I am of the opinion that it is completely irrelevant whether the email itself or a database of the external mail server is changed. Data is changed and this should always be done with the user's prior consent. It does not make it any better or more legally compliant if other email clients also work in a similar way and change data. However, they usually do so with the user's conscious consent. But that's not important here, because we're only talking about Nextcloud's MailApp.

I don't understand the problem, why it is so absurd to deactivate the function by default and leave the choice to the user. Besides, Nextcloud should be in a position to have this clarified by a data protection lawyer.

mritzmann commented 1 month ago

I understand your point (and I think you're right that this should be opt-in) — but the issue you opened was about the modification of emails and the implications of the GDPR. Just wanted to clarify that emails itself are usually not manipulates by a label.

Bad-and-Mad commented 1 month ago

I understand your point (and I think you're right that this should be opt-in) — but the issue you opened was about the modification of emails and the implications of the GDPR. Just wanted to clarify that emails itself are usually not manipulates by a label.

In my opinion, it does not matter whether the email is changed physically (direct change of content) or logically (change of metadata directly related to the email). From the client or recipient's point of view, the email is changed without the user's consent.

Thanks for your comment. At least I don't seem to be the only one with data protection concerns here.

the-djmaze commented 1 month ago

In my opinion, it does not matter whether the email is changed physically (direct change of content) or logically (change of metadata directly related to the email). From the client or recipient's point of view, the email is changed without the user's consent.

Do you know how email works? Every time an email goes through a server, the headers are changed. That's why emails can have 10+ Received headers. Every time an email goes through anti-spam and others, new headers are added. So an email is never the same as you send it!

Nextcloud does not modify the email (and the headers).

Your quest regarding GDPR would mean that all email servers (microsoft outlook, gmail, your hosting provider, etc. etc.) would not comply.

So you should stop using email, whatsapp, etc. etc. etc. Else email would never traceable, nor marked as spam, nor checked on malware, etc. etc.

I do agree that it should be opt-in though, as the way how it is implemented has serious impact on all mail applications in use.

Bad-and-Mad commented 1 month ago

Do you know how email works? Every time an email goes through a server, the headers are changed. That's why emails can have 10+ Received headers. Every time an email goes through anti-spam and others, new headers are added. So an email is never the same as you send it!

Nextcloud does not modify the email (and the headers).

Your quest regarding GDPR would mean that all email servers (microsoft outlook, gmail, your hosting provider, etc. etc.) would not comply.

So you should stop using email, whatsapp, etc. etc. etc. Else email would never traceable, nor marked as spam, nor checked on malware, etc. etc.

I do agree that it should be opt-in though, as the way how it is implemented has serious impact on all mail applications in use.

Ufff

Thanks for the interesting explanation about emails and mail servers - especially about the Microsoft Outlook mail server. I also find the whataboutism about “WhatsApp” very remarkable. “WhatsApp” is a shining example of excellent data protection.

But never mind. Most people here certainly have a basic idea of the structure of an email, the purpose of the individual components and the functions of MUA, MTA and MDA.

The fields in the header of an email are technically necessary. For example, for documenting the transport route, addressing or for security features - Received, From, To, DKIM-Signature, SPF and many more and the header of the email is subject to constant change - at least until it has “arrived” at the recipient.

However, none of these fields change the meaning of an email, except perhaps entries from spam filters, but these are usually used deliberately by the user.

However, the automatic tagging of an email changes the meaning considerably and it doesn't matter where this information is stored, but this has already been discussed above.

I don't want to rate the MailApp's auto-tagging. For some it is an excellent thing, for others perhaps not. I have only put up for discussion that this function should not be switched on by default but should be made dependent on the user's will (OPT-IN).

the-djmaze commented 1 month ago

I don't want to rate the MailApp's auto-tagging. For some it is an excellent thing, for others perhaps not. I have only put up for discussion that this function should not be switched on by default but should be made dependent on the user's will (OPT-IN).

And that has been discussed before in other issues (and switching it off was not even possible in the past). At SnappyMail i even got bug reports that my app was auto-tagging. But then we figured out that Nextcloud Mail is doing this and that most mail apps now have UX issues due to that.

The biggest issue is that the Nextcloud Mail is not using a custom flag/tag like $ncm-important for it, or just a separate DB field outside IMAP to prevent the issues.

It should be opt-in and explain the impact on other mail clients.

Maybe someone thought Microsoft priority inbox is a good idea to implement? Although it is the most annoying idea of Microsoft. https://www.mica.nl/en/disable-inbox-priority-gosse-explains/ And gmail has a similar feature that does not work.

And #3968

Bad-and-Mad commented 1 month ago

I tried to keep the technical aspect out of my initial question ”Is the MailApp compliant with data protection regulations?”. I have found the effects of the Nextcloud MailApp's autotagging to be very annoying. I receive more than two hundred emails a day. All of them were very important. So I was glad when I found the switch in the settings. In addition, each MUA seems to handle the tagging of the MailApp a little differently. The mails were tagged differently in Thunderbird than in Roundcube.

I just wanted to raise the question of data protection compliance here. Because in my opinion this is undermined by the MailApp.

ChristophWurst commented 1 month ago

I will have this clarified

ChristophWurst commented 1 week ago

I do not have any news yet but will keep you posted