Uploading an Address-book in Europe? You’d Better Take Care!
By Neil Schwartzman
Director, Certification Security & Standards
A question from a client prompted a flurry of investigation within our Professional Services team here at Return Path.
The client decided to stop using the address-book upload functionality on their social networking sites in light of a court case and legal regulation they had heard about in passing, but were unable to specify.
Naturally, the Professional Services team was on the case and in turn contacted me to see if I knew anything (since I dabble in legal and public policies matters). To find the answer, I decided to pose a question to a discussion mailing list that that I am a part of. The response proved to be exactly what we were looking for.
Clarification of the rumor that concerned our client came from Uwe Manuel Rasmussen, attorney at the Paris-based law firm, August & Debouzy which advises the legal department of a global email provider. He stated, in part
[They were] … probably referring to Opinion 5/2009 of the “Data Protection Directive’s Art. 29 Working Party” (WP29) which was adopted on June 12th, 2009. The Opinion is not a legal regulation, but an expert interpretation of the EU data protection directive. Nonetheless, breaching the Working Party’s recommendations could indeed lead to an enforcement action for violation of the law as the representatives on the WP29 are primarily the Data Protection Authorities charged with enforcing personal data protection legislation in the Member States. The “Art. 29 Working Party’s Opinion” carries much weight.
Section 3.8 of the Opinion states that when a social networking service uses the address book import feature to allow a user to send out invitations to its contacts inviting them to join the Social Network Service (SNS), it should be done under the following conditions:
1. incentive is given to neither sender nor recipient; (i.e. do not offer the chance to win a flat screen TV if you send out an email to your entire address book);
2. the provider does not select the recipients of the message (the user should be given the option to select and deselect the email addresses that will receive the invitation);
3. the identity of the sending user must be clearly expressed;
4. the sending user must know the full content of the message that will be sent on his behalf (best practice is to display a preview of the invitation).
With regard to a legal prosecution in Belgium, I’m thinking [they are referring to] the judgment from the Commercial Court of Huy of 2008 against the social network nicepeople.be. The judgment is not founded on the Opinion as it [occurred] prior to it, but is overall consistent with the recommendations of the WP29.
These are all great points. While respecting the desire of social networks to grow organically, they at the same time uphold the rights of end-users: the right to not be bothered. There is one thing I would add however; that I’m sure other Return Path affiliates and email deliverability experts would agree with. Social networks should also maintain suppression lists allowing end-users to refuse email or invitations from individual users of those systems or from the system in its entirety. There are some folks who simply do not want to join social networks.
Furthermore, since it is impossible to know where an email address resides or what legal régime is prevalent, we suggest that social networks and others who use address book uploads conform, at the very least, to the EU Opinion noted above.
At Return Path we discourage the use of address book uploading for several reasons; for one, it violates the Acceptable Use Policy of the major email providers and online services. Secondly, allowing end-users to become accustomed to the notion of entering their username and password anywhere but at the site that holds these credentials, is very problematic in this day and age of rampant phishing. That said, there are ways in which this can be accomplished in a safe manner: through the use of APIs or by way of utilities like Facebook Connect1.
Due to the increasing popularity of the address book upload feature, Return Path has developed a consulting package for senders who use it. Contact email@example.com for more information.
Return Path wishes to thank Uwe Rasmussen for his invaluable contribution.
The advice provided in this post and on this site is provided for informational purposes and of a general nature only and should not be taken in any way as legal advice in whole or in part. Please seek professional legal advice after an examination of your particular circumstance before taking action.
1AOL = http://dev.aol.com/openauth
Facebook = http://developers.facebook.com/
Google = http://code.google.com/apis/accounts/AuthForWebApps.html
Hotmail/Windows Live = http://msdn.microsoft.com/en-us/library/ff749458.aspx
Twitter = http://dev.twitter.com/pages/oauth_faq
Yahoo = http://developer.yahoo.com/auth/