[aw3c2]

FYI, in Germany if you provide more than 10000 mailboxes you have to add a SINA box to your network. https://de.wikipedia.org/wiki/Sichere_Inter-Netzwerk_Archite...

This allows law enforcement to silently direct specific user's mails to them. This requires a ruling and the provider will be aware of it. Still, I think a company like this should mention this in a full disclosure spirit as it can render their promise "No disclosure: Your data remains with us. We never pass on any data to third parties without authorization." void.

--- I do not understand the Legal Certainty paragraph.

[cavac]

Data Privacy Statement from mailbox.org:

"According to TKG Section 113 (German Telecommunications Law), the public prosecutor and the police can access the user data held by telecommunications providers such as ourselves relatively easily. A simple information request suffices; no court order is needed. According to TKG Section 113, a telecommunications provider has no legal recourse against such a request; it must comply. It should also be noted that according to TKG Section 113 (II), the provider is required to treat such a request confidentially, and that the affected customer must not be informed about the request."

https://mailbox.org/en/data-protection/

[ushi]

You should have included the next paragraph. They make a difference between user data and the users emails:

"Access to the log data of mail and web servers and to the e-mails contained in a mailbox, on the other hand, requires a search and seizure warrant signed by a judge, unless the investigative authorities can claim exigent circumstances. Telecommunications providers again have no legal recourse against search warrants; seizure of the log data cannot be denied."

[blumkvist]

Best privacy-protection laws?...

...yeah... the law does its job, perhaps, a bit too well.

[pheinlein]

A SINA Box is nothing else then a kind of VPN Gateway. A SINA Box does NOT provide direct access to a user's mailstore or something else. The still have to get in contact with the ISP to set the interception up and running. There's is no "silent access" just because of having a SINA box.

Anyway: mailbox.org does NOT have a SINA box installed.

Peer (founder of mailbox.org)

[sergiosgc]

This is the German implementation of the European Data Retention Directive [1]. The legal landscape across the EU is bound to be similar. The gist of the directive, regarding email is: providers must retain sender, recipient, date and IP address information for a period (6 to 24 months, depending on the country). This data may be requested by a court order, and only by court order.

The directive says nothing about the secrecy of the request, so this is up to the specific implementation in member states. In Germany it is secret, in Portugal it is public except for complex cases in investigative phase (a specific, well defined situation meant to deal with large organized crime). I don't know about other countries, but since our laws are usually modeled on the French version, I'd wager France is similar to Portugal (actually, it's the other way around)

[1]http://en.m.wikipedia.org/wiki/Data_Retention_Directive

[aw3c2]

No, it is a different thing but the DRD is another thing that they should mention indeed.

[ronaldx]

> I do not understand the Legal Certainty paragraph.

My interpretation is: Spam is deleted in order to give you plausible deniability that you haven't received and read it.

i.e. There is no spam folder.

But, this seems like it would normally be a bug rather than a feature.

[pheinlein]

Spam is REJECTED and not deleted. In cause of a possible false positive the sender (!) will receive a non delivery report. Deleted e-mails is always forbidden.

Peer (mailbox.org)

[ronaldx]

Great, thanks :)

It is not exactly clear (on the website) what you mean by 'rejected', so the English text could be improved to make your meaning more explicit. Perhaps 'returned' would be better?

Good luck!

[pheinlein]

In a technical language, "rejecting" (I don't accept that message) and "bouncing" (I accept it, but I will send it back later) is clear defined. Returning would be "bouncing", because I do NOT return, I do NOT ACCEPT.

That's a big and very important difference.

[snori74]

They should be slightly more explicit, but "...before the e-mails are accepted and reject anything that looks suspicious..." almost certainly means that spam is rejected with a 5xx message - or goes to your InBox, but is never accepted then hidden from you in a spam folder.

It's a good approach, and from a legal perspective I'm surprised more systems don't take this approach, because legally (at least in my local jurisdiction), you're deemed to have received an email when it "enters that information system" - i.e. when your SMTP server says 250.

This stuff matters quite a lot in the formation of contracts.

[ronaldx]

So stuff which appears to be spam is bounced, with a return message.

On reflection, this does seem like a better system. I had imagined a silent fail as per other popular e-mail hosts.

[snori74]

Yes, but the "bounce message" comes to the sender from their own mail system, saying "could not deliver".

This is important, because the receiving system doesn't have a guaranteed way of reaching the sender - modern spam typically fakes the "From:" and <return-path> fields - so well-run systems nowadays never try to do so for fear of generating what's referred to as email backscatter spam.

[ushi]

Here are the corresponding paragraphs in the Telekommunikationsgesetz (german):

https://www.bundesnetzagentur.de/cln_1432/DE/Sachgebiete/Tel...

[raverbashing]

Or basically (this is the middle paragraph)

"Due to the legal regulations, anyone who business provides telecommunications services or it participates, to allow for the presence of a written arrangement authorized agencies monitoring and recording of telecommunications of an accused and to provide the relevant information. Whether and to what extent the persons liable for participation telecommunications companies must make arrangements for the implementation of monitoring activities or the provision of information, is governed by Section (§) 110 of the Telecommunications Act (the Act) and the Telecommunications Interception Ordinance (TKÜV). The Federal Network Agency is responsible for drawing up the technical specifications and the enforcement of the technical equipment and organizational measures"

[stfu]

Wouldn't be the logical consequence to open a new subsidiary firm every 8000-9999 accounts?

[BCM43]

I'm not sure how much work that is, but I'm guessing it's a lot for every $10,000 a month you get. I'm also guessing you can't share the same domain.