User Tools

Site Tools


faq:gdpr_for_vpop3

GDPR for VPOP3 self-hosted software

VPOP3 is an email server program, it is not a service, so if you use VPOP3 on your own computer we are not a “data controller” or a “data processor” under GDPR rules as we never see any of your data (unless you give us permission to remotely connect to your PC for technical support purposes).

There is some confusion about how email and GDPR interact. GDPR is mostly a risk-based system, so it doesn't specify any hard and fast rules about how data is processed, just requires you to assess risk and take appropriate actions.

For instance, there is no general requirement for emails to be encrypted, however if the personal data is especially sensitive (eg medical records, credit card details etc) then your risk assessment will probably indicate that it should be encrypted.

Email Encryption

Email encryption is a complex topic. VPOP3 supports encryption when sending and collecting mail from a remote mail server. VPOP3 Enterprise, with an SSL certificate installed, also supports encryption when receiving mail via SMTP or when email clients collect mail from VPOP3. However, this encryption is only 'session encryption'. That means that the data is encrypted as the data is being transferred between VPOP3 and the other computer. VPOP3 stores the messages in an unencrypted form, and it is very likely the other computer (email client, remote mail server etc) stores the messages unencrypted as well. Even if the messages are stored encrypted, then the other computer must have the means to decrypt them automatically, so there is a good chance the decryption key is stored on that computer as well.

Note that once VPOP3 has sent an outgoing message to another mail server, it has no control or visibility over whether or not session encryption is used for further transit of the message.

Session encryption protects against eavesdropping of the messages in transit, but it does not protect against a bad person who has access to a PC which stores the email. It also does not protect against the message being sent to the wrong person accidentally. Several data protection breaches have happened because sensitive data has been sent to the wrong email address.

So, to protect sensitive data, you should use end-to-end encryption. This is generally something such as PGP or S/MIME. Neither of these systems is particularly easy to use, and the details are outside the bounds of this article. In brief, the recipient will give the sender a 'public key' which is used to encrypt the message using software on their own PC, and the recipient uses the associated 'private key' to decrypt the message on receipt.

Alternatively, you could save the documents in a password protected ZIP file, but do not send the password by email, or if someone can view the protected email they can probably see the password as well.

Some providers will offer 'encrypted email services'. These are often a web-based messaging system, so if you want to send a sensitive document to someone, in fact it uploads the document to a secure website and emails a link to the recipient. These have issues to consider:

  • you are giving the sensitive data to someone else (the encrypted email service provider) who would not have had access to the data otherwise
  • the recipient needs to expect to receive the message this way. A security-conscious recipient would be very dubious about downloading a file from a website they don't know about
  • the recipient needs to know how to access the data. If the link which is emailed to the recipient allows the recipient to download the message without logging in, or contains the login details, then it is no more secure than just sending the data to the recipient directly. Consider what would happen if you mistakenly sent the data to the wrong email address. If the encrypted email service will let that wrong email address view your data, then it is not secure

Disclaimer

We are not lawyers, so the above is based on our understanding of GDPR. You should consult a GDPR specialist lawyer if you are in doubt.

faq/gdpr_for_vpop3.txt · Last modified: 2018/11/14 10:45 (external edit)