ESPc Deliverability session Washington DC, Novembre 2016 2(b... · Criteo! Adobe Cabestan Google...
Transcript of ESPc Deliverability session Washington DC, Novembre 2016 2(b... · Criteo! Adobe Cabestan Google...
n A non for profit organisation#
n A public/private partnership #Law enforcement, ISP, E-mail security vendors, Reputation Providers, ESP, Marketers & Brands, Web Hosting companies, Data Protection Authority#
n The National Spam Reporting Center#
n A FBL, spamtraps and aggregated data on IP level program for senders#
SIGNAL SPAM
SalesForce Experian Orange OVH LaPoste Return Path Criteo!
Adobe Cabestan Google Groupon Lexsi Mailchimp Mailjet NP6 Paypal planet.fr Sarbacanne SFR SmartFocus Splio Teradata VadeSecure!
Alinto Atos Aweber Bisnode Citobi Consultix ContactLab Dolist dromadaire.com Emailstratégie Epsilon ExpertSender IBM Inxmail MailUp Mailxpertise Odiso ProfilTechnology Rapidmail Staples MailPoet seloger.com Ediware Wondeotec NSP ISpace SailThru!
INDUSTRY MEMBERS
n Internet users register to Signal Spam and download a plugin for their messaging environment
n End users report anything they consider to be a spam
n Signal Spam qualifies the report and extracts relevant information
n Signal Spam send data to its members best suited to take relevant action against a specific spam
END USERS REPORTS
DATA PROTECTION AUTHORITY
TOP 5O of biggest spam campaigns
Controls & sanctions
Isabelle Falque-Pierrotin Présidente of the CNIL
« In the framework of this partnership, the CNIL guides Internet users to the www.signalspam.fr platform and encourages them to report any unwanted e-mail. Indeed, the more Internet users will report this type of messages, the more effective the fight against spam. »
WEB HOSTERS
Transmission of reports matching web hosting companies network
Dialogue / Restriction / Accounts closing
Romain Beeckman Legal counsel officer at OVH
« The reports we receive via Signal Spam are complete, relevant, verifiable, and allow us to act more quickly against abuses on our network. »
ESP
ARF Reports / French ISP aggregated data on IP level /
Spamtraps
Internet Users Unsubscription Marketing Regulation
LAW ENFORCEMENT / PUBLIC AUTHORITIES
Legal requisitioning in the database
Identify cyber-criminals and bring digital evidences
Anne Souvira Cyber-investigator at Home Office
« Reports serve as evidence in the context of our investigations.»
MARKETERS
Monitor brand’s reputation / phishing website takedown
ARF reports on a brand or phishing feed
SECURITY
Phishing URL feed, spam feed
Improve filters and blacklists
Georges Lotigier CEO and Founder of VadeSecure
« We actively contribute to the association by qualifying the spam reported by Internet users (eg phishing, scam, or commercial prospecting) so that each actor in the fight against spam can use accurately and efficiently the alerts sent to Signal Spam .»
ISP
Identify compromised internet connections / Mitigation
Clean compromised devices
Philippe Antuoro Network technical expert at SFR Numéricable
« The diversity of the stakeholders in Signal Spam gives the possibility of setting up quick actions to limit the abuses and frauds conveyed by the e-mail. For an operator, the Signal Spam device makes it possible to identify the stations of Internet clients infected by software / malware and used as relay of spam.»
Identify Cyber-Criminals Inform the Data Protection Authority of law breaches Identify and clean compromised devices Unsubscribe Internet Users from ESP and marketers lists Improve best practices, promote Signal Spam’s code of ethics, raise technical standards Improve messaging protective tools
Reports allow to:
Today Tomorrow
EU Directive 95/46/CE (Personnal Data Protection)
Loi « Informatique & Libertés »
EU e-Privacy Directive 2002/58/CE
(Digital Prospection)
Modified in 2009 2009/136/CE
(Introducing cookies guidelines)
LCEN
Article 32.II
Transposition in French Law
General Data Protection Act Applicable May 25th 2018
Modified e-Privacy Directive 2002/58/CE
(Digital Prospection, cookies, exemptions… )
CNIL registration
for data processing
Data Protection By Design
& By Default
Compliance to the
statement of data
processing
Accountability Regime
Applicable if
established within the
EU
Applicable if
professional activity
within the EU
Opt-in Freely given
Specific Informed
Unambiguous
EUROPEAN LEGAL FRAMEWORK
Today Tomorrow
New obligations
• Iden&ty of the data processing responsible company
• Aims of data processing • Opt-‐out and modifica&ons rights • Data processing outside the EU
• Contacts details for the Data Protec*on Officer • Legal basis for data processing • Legi*mate interests • Length of conserva*on • Rights to data erasing, limita&on of data processing, transportability of data
• Right to put a reclama&on to the Data Protec&on Authority
• Profiling (inform recipients their are subjects of automated decisions / describe why)
• Any new final objec&ve to data processing • When not directly collected : source of data collec*on
+
RECIPIENTS MUST BE INFORMED OF :
LEGAL FRAMEWORK DOESN’T MATTER SO MUCH !
n Spam is all about perception
n Auto-regulation mechanisms in France (IP, domains, and lists reputation) and Germany (whitelisting)
n Best practices & code of ethics
n No false-positives at 0.6% of reports on a campaign
n Blacklisting at 1% or 2 000 reports
n Campaigns/Domains fragmentation is dangerous
n Learning to work with ISPs and their messaging security editors
n Watch out for bad customers
DELIVERABILITY ISSUES
n Full ARF reports
n IP level aggregated data from ISPs
n Spamtrap data on Orange recycled addresses
SUBSCRIBING TO FBL AND REPUTATION DATA
Ask for data sample on your IP setup ([email protected])