Privacy and E-Lists
Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Draft of 8 May 1997

© Xamax Consultancy Pty Ltd, 1997

This paper is at http://www.anu.edu.au/people/Roger.Clarke/DV/E-Lists.html


Abstract

This paper examines the privacy implications of electronic mailing lists (e-lists). Outlines are provided of e-list technology and of privacy, and suggestions made as to measures that e-list subscribers and list-managers can and should take to address privacy concerns.


Contents

Introduction

E-List Technology

Privacy

Privacy Aspects of E-Lists

Conclusions


Introduction

An Internet electronic mailing list (referred to in this paper as an 'e-list') is a set of email addresses that can be reached by addressing a single message to a single address. A copy of the message is generated for everyone on the list.

The purpose of this document is to examine the privacy implications of e-lists. It is a companion document to a broader examination of privacy on the Internet, at http://www.anu.edu.au/people/Roger.Clarke/DV/Internet.html.

The author has no experience of managing e-lists, but has been an active Internet participant for nearly a decade, and has strong background in privacy matters.


E-List Technology

The generic term for the software that runs e-lists is 'list-server software' or `mailing list management (MLM) software'. A list and description of products is at ftp://ftp.uu.net/usenet/news.answers/mail/list-admin/software-faq. The most commonly encountered programs are:

An e-list has a list-manager, who creates an empty list, advertises its existence, and invites people to 'subscribe' to it. The list-manager has the power to subscribe people, and to 'unsubscribe' them (i.e. delete them from the list).

The list-manager has a number of parameters available, enabling a modest degree of customisation of the list's operation to the preferences of the list-manager and/or the needs of the community it serves. An example is that the Reply-To address that appears in emails forwarded to members can either be the address of the list, or of the person who originated the message. The parameter settings for any particular list are usually visible, e.g. using the 'review' command in listproc.

A list may be 'open' or 'closed'. Openness comprises several features:

Closedness is, of course, the opposite. Instructions on configuring Majordomo to deny non-members the ability to send to the list are at http://www.math.psu.edu/barr/majordomo-faq.html#3.6; and instructions on how to deny non-members the ability to access the set of members on the list are at http://www.math.psu.edu/barr/majordomo-faq.html#3.5.

A list may be 'moderated' or 'unmoderated'. With a moderated list, someone (or possibly a piece of software) examines each message that is submitted, and may choose to forward it unchanged, abbreviate it (e.g. removing excess repetition or unnecessary attachments), check with the putative sender that it is authentic, consolidate it with other messages on the same topic, or block it from being sent to the list.

A primary reason for moderating lists is to increase the quality of communication, and sustain a high 'signal-to-noise ratio'. Material that is typically blocked or abbreviated includes 'flame' attacks, off-topic messages (except for the occasional good joke), defamatory comments and spam. A moderator adopts a position similar to that of a publisher, and hence attracts all of the effort and probably some of the legal responsibility that this entails.

When a person subscribes to an e-list, they are usually sent a welcome message, which includes an explanation as to the purposes of the list, how to get more information, how to use the list-server software, and how to unsubscribe. The message may also be accessible by sending a command to the list-server, e.g. 'info' in majordomo. In most cases, the list-server software provides a default-message that the list-manager can adapt to the particular purpose.

Background information on e-lists (commonly referred to on the Internet as an 'FAQ' - [Answers to] Frequently Asked Questions) is available from a wide variety of sources on the net, including:

Some e-lists offer additional services, including:

E-list technology was developed by skilful and well-meaning amateurs for what were then relatively small communities of people. It has been in existence for about a decade, and drew on some pre-existing ideas (particularly Usenet newsgroups). It is now in enormously widespread use, and some lists contain thousands of addressees.

List-managers and moderators are, in the vast majority of cases, unpaid volunteers, and their payback is simply the warm feeling that they are providing a service to a community. They perform a considerable amount of administration (e.g. of dead and temporarily unreachable addresses, misbehaviour by list-members, and handling of queries about list-purposes and norms).

The technology has not been further developed, and contains a range of significant design weaknesses; for example, people who subscribe to e-lists commonly suffer from 'newbies' sending banal beginners' questions to the list as a whole; from list-members going on holidays and broadcasting 'vacation notice' messages to everyone in reply to each message sent to the list; some people send large attachments to large lists; and occasionally someone mutually subscribes two lists to one another, generating a potentially infinite message-loop.

Despite its weaknesses, e-list technology is one of the stimulants and mainstays of virtual communities.


Privacy

Privacy, in the abstract, is the interest that individuals have in sustaining a `private space' within which they can operate free from interference by others.

A vast amount of information about privacy, particularly information privacy, is to be found at http://www.anu.edu.au/people/Roger.Clarke/DV/, and in many other places.

An overview of generally-accepted principles relating to information privacy protection is provided by the OECD Guidelines' Principles, at http://www.anu.edu.au/people/Roger.Clarke/DV/OECDPs.html.

In some jurisdictions, data protection laws, privacy legislation, and even case law, may place list-managers and other people who use e-lists under legal obligations to perform some acts, and to not perform others.

An example is the Commonwealth Privacy Act, which binds (most) Australian government agencies to a set of Information Privacy Principles. For a short summary, see http://www.anu.edu.au/people/Roger.Clarke/DV/PaperPrivacyActShort.html. The Act itself is at http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/index.html, and the Privacy Commissioner whose office was created under that statute is at http://www.austlii.edu.au/hreoc/privacy/.

Three Australian Universities are subject to that Act (A.N.U., Uni. of Canberra, and Northern Territory University), and lists maintained by, and possibly for, those organisations would be subject to it. It is unclear whether list-managers who provide services on their own behalf, but using infrastructure provided by those universities, are also subject to the Act.

In most jurisdictions, whether or not legal requirements exist, a general expectation of `fair information practices' exists, including respect for privacy. This is particularly the case with an e-list, because each e-list is integral to a virtual community, which typically has a very strong ethos.


Privacy Aspects of E-Lists

A series of privacy issues arise in relation to e-lists. This section examines each, including the manner in which privacy concerns are conventionally addressed.

* Availability of One's Emailbox

By subscribing to an e-list, a person is expressly making one's emailbox available to the list-server software, and hence to everyone who has the ability to mail to the e-list. Depending on how the list-manager sets the parameters, that may be restricted to list-members (who in turn may or may not be qualified in some way), or open to anyone in the world who has the capacity to discover the address of the list and send an email message.

From a privacy viewpoint, an e-list manager would be well-advised to include in the welcome message, and in any e-list home-page, statements concerning:

* Visibility of One's Email Address

In general, the email addresses that are subscribed to an e-list are visible to anyone who sends a 'who' (majordomo), 'recipients' (listproc), 'list' or 'index' command to the list-server.

Subcription to the e-list could be viewed as implied consent to disclose that information. On the other hand, consent needs to be informed, and it is likely that some users may be ignorant of the fact that their address is visible (and even ignorant of the fact that information is available about how e-lists work).

The list-manager may be able to suppress this function, or restrict it to list-members only. Individual list-members may be able to suppress their own address from appearing in lists generated by 'who', 'recipients', 'list' and 'index' commands.

From a privacy viewpoint, an e-list manager would be well-advised to include in the welcome message, and in any e-list home-page, statements concerning:

* Visibility of One's Association with an E-List

Even if a person suppresses their email address from appearing in lists of list-members, the act of sending a message to the e-list in effect declares some awareness of and association with it. This is especially the case where the list can only be posted to by email addresses that are subscribed to the list.

* Visibility of One's Messages

In general, a message that is sent to an e-list is visible to everyone that is subscribed to it; that is, after all, its purpose.

In general, a message sent to an e-list carries identification information concerning the sender, according to the parameter-settings in the sender's email package. This may be at least modestly clear about who the sender is (e.g. Roger.Clarke@anu.edu.au), or it may be uninformative (e.g. 123456.1234@compuserve.com. In general, these settings are under the individual's own control.

It is feasible for a sender to obscure their identity, by:

From the privacy viewpoint, an e-list manager would be well-advised to include in the welcome message, and in any e-list home-page, statements concerning:

* Impersonation of One's Identity

In general, a sender of an email message (whether to an e-list or otherwise) can mislead readers as to the identity of the sender. This may result in mistaken identity (a phenomenon not restricted to the Internet, as Shakespeare, and Gilbert & Sullivan, made quite clear a long time ago). Such problems may arise by accident, or from modest or serious breaches of civil rights or criminal laws.

From the privacy viewpoint, an e-list manager would be well-advised to include in the welcome message, and in any e-list home-page, statements concerning the steps an individual list-member can take to be informed about how email and e-lists work.

* Misreprentation of One's Message

In general, any receiver of an email message (whether via an e-list or otherwise) can modify and re-transmit the contents (directly to other individuals, or to the same or another e-list). This may mislead readers as to the originator's intented meaning, especially if the message is separated from the thread it belonged to, or from the e-list and associated community to whom it was expressed, or is dismembered and thereby loses internal context. Such problems may arise by accident, or from modest or serious breaches of civil rights or criminal laws.

* Archival of One's Messages

A list-manager may maintain an archive of messages sent to the e-list, and may make it available to list-members alone, or publicly. Such archives may be searchable only in primitive ways, or in quite sophisticated fashion, e.g. on a monthly basis, by date, sender, or 'thread' (subject). For a mature example, see http://www.anu.edu.au/mail-archives/link/browse.html.

There is nothing to prevent any subscriber to an e-list from establishing an archive of messages sent to it, and public domain and shareware software is widely available to support such functions. Such archives may be for personal, restricted, or public use.

Subcription to the e-list could be viewed as implied consent to publish the message-content. On the other hand, consent needs to be informed, and it is likely that some users may be ignorant of the facts about how widely and for how long their messages are visible.

Depending on the context, public archives for a closed list might be seen as a breach of faith by the particular community; but it is not clear that any legal right would exist to prevent them from being implemented or maintained.

From the privacy viewpoint, an e-list manager would be well-advised to include in the welcome message, and in any e-list home-page, statements concerning:

* Long-Term Discoverability of One's Messages

A message that has been archived may be findable by any Internet user, in several ways. In particular:

Subcription to the e-list could be viewed as implied consent to publish the message-content. On the other hand, consent needs to be informed, and it is likely that some users may be ignorant of the facts about how widely, for how long, and in how discoverable a form, their messages are visible.

From the privacy viewpoint, an e-list manager would be well-advised to include in the welcome message, and in any e-list home-page, statements concerning:


Conclusions

E-lists have privacy implications.

During the early years of the Internet, these were largely overlooked by all concerned. As 'net usage increases, so does the social distance that separates the people involved. The clash between long-standing `electronic community' cultures and the emergent corporate culture of `electronic commerce' is exacerbating the concerns.

The result is that:


Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 6 May 1997

Last Amended: 8 May 1997


These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 6 288 6916 Fax: +61 6 288 1472