ESPc Deliverability session Washington DC, Novembre 2016

n  A non for profit organisation#

n  A public/private partnership #Law enforcement, ISP, E-mail security vendors, Reputation Providers, ESP, Marketers & Brands, Web Hosting companies, Data Protection Authority#

n  The National Spam Reporting Center#

n  A FBL, spamtraps and aggregated data on IP level program for senders#

SIGNAL SPAM

SalesForce Experian Orange OVH LaPoste Return Path Criteo!

Adobe Cabestan Google Groupon Lexsi Mailchimp Mailjet NP6 Paypal planet.fr Sarbacanne SFR SmartFocus Splio Teradata VadeSecure!

Alinto Atos Aweber Bisnode Citobi Consultix ContactLab Dolist dromadaire.com Emailstratégie Epsilon ExpertSender IBM Inxmail MailUp Mailxpertise Odiso ProfilTechnology Rapidmail Staples MailPoet seloger.com Ediware Wondeotec NSP ISpace SailThru!

INDUSTRY MEMBERS

Extracts source code and reports it for :

REPORTING TOOLS FOR BROWSER

REPORTING TOOLS FOR E-MAIL CLIENTS

n  Internet users register to Signal Spam and download a plugin for their messaging environment

n  End users report anything they consider to be a spam

n  Signal Spam qualifies the report and extracts relevant information

n  Signal Spam send data to its members best suited to take relevant action against a specific spam

END USERS REPORTS

DATA PROTECTION AUTHORITY

TOP 5O of biggest spam campaigns

Controls & sanctions

Isabelle Falque-Pierrotin Présidente of the CNIL

« In the framework of this partnership, the CNIL guides Internet users to the www.signalspam.fr platform and encourages them to report any unwanted e-mail. Indeed, the more Internet users will report this type of messages, the more effective the fight against spam. »

WEB HOSTERS

Transmission of reports matching web hosting companies network

Dialogue / Restriction / Accounts closing

Romain Beeckman Legal counsel officer at OVH

« The reports we receive via Signal Spam are complete, relevant, verifiable, and allow us to act more quickly against abuses on our network. »

ESP

ARF Reports / French ISP aggregated data on IP level /

Spamtraps

Internet Users Unsubscription Marketing Regulation

LAW ENFORCEMENT / PUBLIC AUTHORITIES

Legal requisitioning in the database

Identify cyber-criminals and bring digital evidences

Anne Souvira Cyber-investigator at Home Office

« Reports serve as evidence in the context of our investigations.»

MARKETERS

Monitor brand’s reputation / phishing website takedown

ARF reports on a brand or phishing feed

SECURITY

Phishing URL feed, spam feed

Improve filters and blacklists

Georges Lotigier CEO and Founder of VadeSecure

« We actively contribute to the association by qualifying the spam reported by Internet users (eg phishing, scam, or commercial prospecting) so that each actor in the fight against spam can use accurately and efficiently the alerts sent to Signal Spam .»

ISP

Identify compromised internet connections / Mitigation

Clean compromised devices

Philippe Antuoro Network technical expert at SFR Numéricable

« The diversity of the stakeholders in Signal Spam gives the possibility of setting up quick actions to limit the abuses and frauds conveyed by the e-mail. For an operator, the Signal Spam device makes it possible to identify the stations of Internet clients infected by software / malware and used as relay of spam.»

Identify Cyber-Criminals Inform the Data Protection Authority of law breaches Identify and clean compromised devices Unsubscribe Internet Users from ESP and marketers lists Improve best practices, promote Signal Spam’s code of ethics, raise technical standards Improve messaging protective tools

Reports allow to:

RECIPIENTS MUST BE INFORMED OF :

Today Tomorrow

EU Directive 95/46/CE (Personnal Data Protection)

Loi « Informatique & Libertés »

EU e-Privacy Directive 2002/58/CE

(Digital Prospection)

Modified in 2009 2009/136/CE

(Introducing cookies guidelines)

LCEN

Article 32.II

Transposition in French Law

General Data Protection Act Applicable May 25th 2018

Modified e-Privacy Directive 2002/58/CE

(Digital Prospection, cookies, exemptions… )

CNIL registration

for data processing

Data Protection By Design

& By Default

Compliance to the

statement of data

processing

Accountability Regime

Applicable if

established within the

EU

Applicable if

professional activity

within the EU

Opt-in Freely given

Specific Informed

Unambiguous

EUROPEAN LEGAL FRAMEWORK

Today Tomorrow

New obligations

•  Iden&ty  of  the  data  processing  responsible  company  

•  Aims  of  data  processing  •  Opt-­‐out  and  modifica&ons  rights  •  Data  processing  outside  the  EU  

•  Contacts  details  for  the  Data  Protec*on  Officer  •  Legal  basis  for  data  processing  •  Legi*mate  interests  •  Length  of  conserva*on  •  Rights  to  data  erasing,  limita&on  of  data  processing,  transportability  of  data  

•  Right  to  put  a  reclama&on  to  the  Data  Protec&on  Authority  

•  Profiling  (inform  recipients  their  are  subjects  of  automated  decisions  /  describe  why)  

•  Any  new  final  objec&ve  to  data  processing  •  When  not  directly  collected  :  source  of  data  collec*on  

+

RECIPIENTS MUST BE INFORMED OF :

n  Double opt-in

n  Freely given

n  Specific

n  Informed

n  Unambiguous

OPT-IN, NOT OPT-OUT

LEGAL FRAMEWORK DOESN’T MATTER SO MUCH !

n  Spam is all about perception

n  Auto-regulation mechanisms in France (IP, domains, and lists reputation) and Germany (whitelisting)

n  Best practices & code of ethics

n  No false-positives at 0.6% of reports on a campaign

n  Blacklisting at 1% or 2 000 reports

n  Campaigns/Domains fragmentation is dangerous

n  Learning to work with ISPs and their messaging security editors

n  Watch out for bad customers

DELIVERABILITY ISSUES

n  Full ARF reports

n  IP level aggregated data from ISPs

n  Spamtrap data on Orange recycled addresses

SUBSCRIBING TO FBL AND REPUTATION DATA

Ask for data sample on your IP setup (thomas.fontvielle@signalspam.net)