12

Recently, there was a question on Information Security which asked what could be done to protect the confidentiality of his contacts in the case that his custom email domain expires and someone else registers it. If this happens, the new registrant will be able to receive these emails. Because this was asked on the Information Security Stack Exchange, I was only able to provide a technical answer which boiled down to "there's nothing you can do short of not letting the domain expire", but I now wonder if there isn't a legal option that could be pursued as a last resort.

Is there any potential legal remedy which OP could use in the case that someone registers his domain, sets up an MX record, and begins receiving confidential emails intended for OP?

forest
  • 988
  • 1
  • 11
  • 24

3 Answers3

8

Not that I am aware of.

A person who 'owns' a domain is entitled to utilize that domain including for the purposes of receiving emails.

With physical mail, it is a crime in most countries to intentionally interfere with mail that is not addressed to you. For example - Australia. However, this is statute law and as such does not extend to emails - even if it did, if you own the domain then you are the person to whom it was addressed.

I note that you seem to misunderstand "confidential" - this only arises in the context of a special relationship between the person transmitting the information and the person receiving it. Usually this is a contractual obligation between A and B but it can be imposed by law (e.g. doctor-patient, banker-client, lawyer-client, GDPR etc.). If A sends confidential (as between A & B) information to C, C is under no general obligation to keep it confidential if C has no relationship of confidentiality with A or B. If C discloses it and B suffers damage, B sues A for breach of confidence (or the government prosecutes A for breaking the law); B has no case against C.

For your situation, where B has allowed A to send the information to an obsolete address then B has contributed to the breach to an extent that B would be extremely unlikely to succeed in a suit against A.

Dale M
  • 237,717
  • 18
  • 273
  • 546
4

Yes, there are legal remedies.

GDPR would first require them to handle the emails with a great deal of care. They would not have permission to read them and they may contain private correspondence or information, which is protected by GDPR. As such any abuse of that information, or even storing it for longer than required to identify it as such, would be grounds for a complaint to the Swiss data protection authority.

Note that although Switzerland is not an EU member, Swiss organizations and citizens are subject to GDPR rules (as well as local Swiss laws which are not dissimilar) because of regulatory alignment resulting from treaties with the EU.

It also depends why they registered the domain. If it was malicious, e.g. they wanted to get your emails, then it may be considered a crime under Swiss law.

user
  • 1,896
  • 1
  • 11
  • 23
0

In United States law:

This has not yet been tested in court.* A related concept is email confidentiality notices whose efficacy is considered, at least by the Wikipedia's references, not well grounded.

However I propose that by inspecting the language of the CFAA (Computer Fraud and Abuse Act) we can determine what email privacy is expected. While the CFAA does not address directly the question asked, it does show that legislation was constructed to map existing property and privacy law for physical items onto digital property.

A famous example of this is "logging into an unsecured server is illegal if you do not have permission to do so." The real world analogue to this is entering an unlocked house. It's still trespassing if you could be expected to know it was a private area.

* The only useful thing that can be said.

In this specific case:

If you receive a physical letter addressed to someone who is not you, you are not allowed to open it.

So, If you receive a digital letter addressed to someone who is not you, you are not allowed to open it.

This is complicated by how email actually works. You will open the letter by receiving it. I suspect what that means is that it is your duty to not act on, forward, or publicize that information that was sent in confidence. Your ability to do a thing has little bearing on whether you are actually allowed to do it (see: murder), and misunderstandings of that fact have let to outrage directed at the CFAA and hacking trials which I believe is misplaced.

I dislike the CFAA and conversations such as this one for a different reason -- people try to separate the physical and digital even though we have tons of existing precedent that covers both with very little imagination.