Is the MailApp compliant with data protection regulations? #10197
Comments
|
I'll clarify! Thanks for the feedback! |
I agree that we are lacking in this area. It's probably best if we add a notice to the setup screen for when users add a new account. Either offer an opt-out in place or make it very clear where they can find the existing opt-out setting. And for admins using the provisioning setting we should do the same. We are hesitant making the feature opt-in, because our goal is to improve the user experience with it. The processing itself is not a problem for regulations AFAIK because we only use the local data for training and the training result stays local. The data will never be shared with anyone else. @Bad-and-Mad does this make sense? I have to admit that I'm not an expert in this area so I appreciate your input! |
In my opinion, it can only be solved properly, comprehensibly and correctly via the OPT-IN variant. Improving the user experience cannot be a criterion for circumventing data protection regulations. I also do not believe that the statement that only data is changed locally is correct. For example, automatic tagging permanently changes emails on external IMAP servers. Automatically classifying an email as important or similar can be a useful capability of an app. However, this capability is not technically necessary, such as recording the transport route of an email in its header (received header fields). |
I have not set up AI on my NC. However, when I tag manually, no mail header is changed. The email itself remains in its original state, also on the IMAP server. The feature, RFC 5464 if I see it correctly, does not change the original file but the IMAP server keeps a separate database for meta data (at least the IMAP server Dovecot does this that way). I'm not sure how GPDR works, but the emails themselves remain in their original state. Steps to reproduce:
Would have to be verified, but I think other clients als set labels without consens. For example: The auto enabled build-in spam feature of Thunderbird sets a junk label if an e-mail (with a local algorithm, keyword: Naive Bayes spam filtering) is recognised as spam. |
|
I am of the opinion that it is completely irrelevant whether the email itself or a database of the external mail server is changed. Data is changed and this should always be done with the user's prior consent. It does not make it any better or more legally compliant if other email clients also work in a similar way and change data. However, they usually do so with the user's conscious consent. But that's not important here, because we're only talking about Nextcloud's MailApp. I don't understand the problem, why it is so absurd to deactivate the function by default and leave the choice to the user. Besides, Nextcloud should be in a position to have this clarified by a data protection lawyer. |
|
I understand your point (and I think you're right that this should be opt-in) — but the issue you opened was about the modification of emails and the implications of the GDPR. Just wanted to clarify that emails itself are usually not manipulates by a label. |
In my opinion, it does not matter whether the email is changed physically (direct change of content) or logically (change of metadata directly related to the email). From the client or recipient's point of view, the email is changed without the user's consent. Thanks for your comment. At least I don't seem to be the only one with data protection concerns here. |
Do you know how email works? Nextcloud does not modify the email (and the headers). Your quest regarding GDPR would mean that all email servers (microsoft outlook, gmail, your hosting provider, etc. etc.) would not comply. So you should stop using email, whatsapp, etc. etc. etc. I do agree that it should be opt-in though, as the way how it is implemented has serious impact on all mail applications in use. |
Ufff Thanks for the interesting explanation about emails and mail servers - especially about the Microsoft Outlook mail server. But never mind. Most people here certainly have a basic idea of the structure of an email, the purpose of the individual components and the functions of MUA, MTA and MDA. The fields in the header of an email are technically necessary. For example, for documenting the transport route, addressing or for security features - Received, From, To, DKIM-Signature, SPF and many more and the header of the email is subject to constant change - at least until it has “arrived” at the recipient. However, none of these fields change the meaning of an email, except perhaps entries from spam filters, but these are usually used deliberately by the user. However, the automatic tagging of an email changes the meaning considerably and it doesn't matter where this information is stored, but this has already been discussed above. I don't want to rate the MailApp's auto-tagging. For some it is an excellent thing, for others perhaps not. I have only put up for discussion that this function should not be switched on by default but should be made dependent on the user's will (OPT-IN). |
And that has been discussed before in other issues (and switching it off was not even possible in the past). The biggest issue is that the Nextcloud Mail is not using a custom flag/tag like It should be opt-in and explain the impact on other mail clients. Maybe someone thought Microsoft And #3968 |
|
I tried to keep the technical aspect out of my initial question ”Is the MailApp compliant with data protection regulations?”. I have found the effects of the Nextcloud MailApp's autotagging to be very annoying. I receive more than two hundred emails a day. All of them were very important. So I was glad when I found the switch in the settings. In addition, each MUA seems to handle the tagging of the MailApp a little differently. The mails were tagged differently in Thunderbird than in Roundcube. I just wanted to raise the question of data protection compliance here. Because in my opinion this is undermined by the MailApp. |
Is your feature request related to a problem? Please describe.
In my opinion, the Nextcloud MailApp violates the European General Data Protection Regulation (GDPR), the app manipulates emails by default through automatic tagging. This function should be switched off by default and should only be switched on by active user action. Changing digital content without the user's consent, even if it is only the header of the email, cannot be compliant with data protection regulations. Consent was also not given by installing the app, as there is no explicit reference to the automatic classification of emails. Of course, the user can deactivate the function, but in my 0pinion the violation is based on the default activation.
Describe the solution you'd like
No response
Describe alternatives you've considered
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: