SMTP, STARTTLS and GDPR

In a previous post I pointed out that FTP may be illegal under GDPR and similarly, sending emails might be illegal too.

When sending an email, here is what usually happen:

• the sender’s email client (MUA) sends the email to its email provider server (MTA);
• that MTA then send the email to the recipient provider’s MTA;
• then the recipient’s MUA will download the email from that MTA.

Between both MTAs, the SMTP protocol is used. Between the MUAs and the MTAs, emails are transferred using either HTTP, HTTPS, IMAP, POP…

Now when a company is handling personal data of European citizens, it has to follow the GDPR rules, which, among others, state that the personal data have to be handled securely and can’t be transferred outside the European Union unless some conditions are met.

And of course almost all companies send emails, and they all contain personal data (at least the recipient’s email address). So the questions are: are emails sent securely and are they sent outside the European Union?

Where are the emails going?

Whether an email can be sent outside EU is quite easy to deal with. Usually in the company’s Privacy Policy will be stated that the company does not send the data to other third parties than the company’s subcontractors or outside the European Union unless asked by the user.

The user, when providing his email address for the purpose of receiving emails, implicitly grants the company the right to send emails to the user wherever the user’s email provider servers are located (IANAL but that’s what I understood so far).

Are they going there securely?

Short answer: no.

The company has control over its own MUA and MTA and can ensure that the communication between them is secure. Between the MTAs, the SMTP protocol is used and is not secure by default but can be if both SMTP servers support the STARTTLS command (90 % of emails going out of GMail are sent to servers supporting STARTTLS). The company could refuse to send emails to an MTA that does not support STARTTLS and ask the user to provide an email address from a different provider (I haven’t seen any company do that so far). But then there’s the final part, between the user’s MUA and MTA. Nowadays, that part is probably secure, but that’s not certain and the company has no power over it.

That’s for the transport security. For the storage security, the emails are at least stored on the user’s MTA, so the user’s email provider has access to the content of the emails (unless the emails themselves are encrypted (almost no one does that) and even in that case the user’s email address and the email’s subject line are still not encrypted). But again this issue is more about having the user’s authorization.

Conclusion

Under GDPR, companies should try to send the minimum amount of personal data by email. Email providers (for European citizens) must make sure their MTAs support STARTTLS. As a bonus it would be nice if companies were informing their users when they are using an email provider not supporting STARTTLS.

But it would also be nice if people were not all using the same email providers (gmail and hotmail), it’s giving them too much power (over other email providers and over people).