Anonymous or pseudonymous: Blocking lists and the EU-DSGVO
January 2019 by
So that the Christmas mailing doesn’t cause trouble: Hashes, Rainbow Tables and Salts.
Actually, you had only meant well and wanted to boost sales with your Christmas mailing or wish as many customers, almost customers, newsletter recipients and business partners as possible a few happy and peaceful holidays. Unfortunately, your mail also reached some addressees who did not want to receive any more electronic mail from you. Of course, in the past you have always carefully maintained your mailing lists properly and removed everyone who unsubscribed, but somehow one or the other address mistakenly ended up in your mailing list again, keyword Reimport. This may upset the unintentionally contacted addressees and it damages your reputation as a sender as well as your turnover in the long run.
To prevent this from happening, e-mail service providers usually keep so-called blacklists, which are intended to prevent the addresses contained therein from being e-mailed either only by certain customers or not at all. Despite the basic EU data protection regulation, which came into effect about six months ago, the storage of personal data is not without its problems, even if it only serves the above-mentioned purpose.
The situation is tricky: on the one hand, an e-mail address may no longer be e-mailed due to a deletion request, on the other hand, the e-mail address may not be stored either, in order to guarantee exactly that. But there is a solution. So-called hash algorithms are used to generate hash values from e-mail addresses, which cannot easily be retraced to the e-mail address. The hash values are then stored in the lock list and compared with the hash value of each mail address to be imported. If there is a match, the corresponding mail address is blocked and must not be e-mailed.
The system works, but it has its pitfalls: First, the algorithms that the hashes generate will be caught up with by technical development and will at some point no longer considered secure. The second vulnerability is the so-called rainbow tables: resourceful minds use common hash algorithms to generate huge lists of input values with the hash values generated from them. In these lists you can look up hash values like in a lexicon and reconstruct the underlying input, i.e. mail addresses. There is a remedy for both problems. Hashes generated with an algorithm that is no longer secure can be hashed again with a modern, secure algorithm. And against the Rainbow Tables a "salt" helps, a value that is attached to the value to be encrypted, the mail address, before the hash is generated. Then a separate rainbow table would have to be created for each possible salt to crack the mail addresses, which is theoretically possible, but practically impossible.
So much for technical practice. What about legal theory? The EU General Data Protection Regulation (GDPR) only applies to personal data. E-mail addresses are personal data, but what about hashed e-mail addresses? According to the legislation it depends on whether the encryption of (personal) e-mail addresses using hash algorithms is a pseudonymisation or an anonymisation. Since the first method of using simple hashes to return personal e-mail addresses is relatively easy and without considerable effort, this method is merely a pseudonymisation. The hashes generated in this way are therefore still considered personal data and are therefore also subject to the GDPR. The second method is different: personal data that has been hashed several times with modern, secure algorithms in the best case and that has been provided with a "salt" can only be assigned to a mail address, if at all, with a considerable amount of effort.
The mail experts of the Certified Senders Alliance (CSA) therefore recommend the second, somewhat more complex procedure for the implementation of revocation lists, so that the EU-RGPD does not come into effect. These and similar legal issues will also be discussed in a legal workshop on April 12th. The workshop is part of the CSA Summit 2019 from 10. – 12. April 2019 in Cologne. Detailed information on the subject of blacklists can also be found at https://certified-senders.org/wp-co....
The Certified Senders Alliance CSA is a joint whitelisting project of the Internet Association eco e.V. and the German Dialog Marketing Association (DDV). Current information on the work of the CSA, on certification at the CSA and on current technical and legal aspects can be found at https://certified-senders.org/de/.