IT security LAW GDPR EU AVG some links to documents in EN DE NL guidelines and GDPR

ikkeben · Aug 25, 2019

So for the ones wo are IN EU or need to be compliant here a few links in German, English, Dutch 2019 version
IT security IN COMBINATION with GDPR privacy

IT Security Act .......

Guidelines:
https://www.teletrust.de/fileadmin/docs/fachgruppen/2019-06_TeleTrusT_Guideline_State_of_the_art_in_IT_security_ENG.pdf

Handreichung:
https://www.teletrust.de/fileadmin/docs/fachgruppen/2019-06_TeleTrusT_Handreichung_Stand_der_Technik_in_der_IT-Sicherheit_DEU.pdf

Richtlijnen:
https://www.teletrust.de/fileadmin/docs/fachgruppen/2019-06_TeleTrusT_Richtlijn_State_of_the_art_in_IT_security_NLD.pdf

Germany is i think one of the most strict , breaking there those LAWS cost some money.

But kind of "same" rules are valid for all EU country's

Press release explaining short
https://www.teletrust.de/fileadmin/docs/presse/presse-docs/PR-190207-ENISA-TeleTrusT-Guideline_State_of_the_art_ENG.pdf

Here the

Technical Guideline TR-02102-2Cryptographic Mechanisms: Recommendations and Key Lengths

https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-2.pdf?__blob=publicationFile&v=7

So no old PHP, no old TLS 1.0 and TLS 1.1 and so on.
To have impossible reading / changing emails by persons who aren't alowed.

Richard G · Aug 25, 2019

You're quite right. There are some panels breaking these laws.
When they start checking these things, there will be fines.

The option in the newest directadmin to be able to just read users mail without logging in should be switchable and by default set to off for example.

BBM · Aug 25, 2019

"compliant"...
not complaint...

ikkeben · Aug 25, 2019

You can read some FINES already given if made public not having GDPR right!

http://enforcementtracker.com/

Data was not processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').

BBM · Aug 25, 2019

It comes down to the fact that the user now has to give you, as an admin, formal permission to 'process' (read/gain access to) its email-data.
And also in such a way that security is maintained at all times.

ikkeben · Aug 25, 2019

BBM said:
It comes down to the fact that the user now has to give you, as an admin, formal permission to 'process' (read/gain access to) its email-data.
And also in such a way that security is maintained at all times.

Yup but then that Same user has to aks permission to the emailcontacts from that user to, while you are reading mails send to them from others!

So difficult if having permission upfront from domainuser/owner only then?:
and if i read on a website:

If you send us a email our server admin can read those emails to ( for blabla reason) are you agreed?

Process purpose and so on is normal and ofcourse none issue.
But reading gain access to is never for having more or better security , is then even worse. no need at all for that.

( strong example you have permission from the emailuser/owner, but your wife/man/partner/friend/girlfriend is mailing this emailuser about the ... night having ... , so ??????? you read and can and may.. )

het briefgeheim the confidentiality of mail
briefgeheim inviolability of the mail

blueice · Aug 26, 2019

Hello,
i reply here in order to keep the technical thread clean from the law things.

i have help some companies regarding the GDPR. I am now lawyer but this companies have lawyer i have just do the technical part under the lawyer guidelines.
I share here my experience:
After lot of search, i have see that the law allow to have one or more administrator (depending of the size of the company) with full access to the user and company files (including emails) in order to do all admin tasks etc.
This admins is responsible in order to make good use of the data. Always is good to limit access when is possible but the law not say that need to block a administration from the access to user data. As the lawyers tell me this is clean. The company need to limit the full access only to a limited number of people but even for this the responsibility is in the customer, not the web hosting company.

I think it is good if the directadmin team can clean if the auto login feature can be disabled from the directadmin.conf (i not have see why not, but need to confirm) so can be up to the hoster if they want it or not. This can save us lot of time in this thread.

Need to keep always in mind that the GDPR don't want to block the main admin from access to the data, but only to give responsibility of the use (and this is law part, not technical part) and also limit the other users to only the required data for they work.

If someone think that the auto login feature (for the main admin of the website) is break the law, then totally every popular linux control panel is not compatible at all with GDPR because a admin can just copy the folder of the emails to his email and then can read it. The auto login feature need a click and just 0.5 seconds, the other way need just a command and some more seconds. In GDPR this not make really different.

ikkeben · Aug 26, 2019

IT is common and normal to have user data itself protected with depending on which level the normal or most strict reasonable protection.

That is also FOR admins.

Sorry don't agree in Germany for more then 30 Years in IT now.
Even other custommers or members from that company / custommer is not allowed to get direct easy acces to such (personal) data.

Other software as told emailserver David/TOBIT has such option ( completly protect access/reading against admins and co) for over25 years now.

As administrators you have always access, but no right to read without permission! ( is not only GDPR !)

Ask you lawyer again while this is already since 1977 or so in Germany and other countrys as >

het briefgeheim the confidentiality of mail
briefgeheim inviolability of the mail

And yes i have experience beeing "punished" for such things already in real live for more then 20 years ago!

Please don't give wrong Juristic advice, i am also not a Lawyer or Jurist so i can't do to.

ONly posting some more info and links and out of my own experience.

Al these are not JURISTIC LEGAL advice ! only pointing out some links and info for discussion

blueice said:
After lot of search, i have see that the law allow to have one or more administrator (depending of the size of the company) with full access to the user and company files (including emails) in order to do all admin tasks etc.
This admins is responsible in order to make good use of the data. Always is good to limit access when is possible but the law not say that need to block a administration from the access to user data. As the lawyers tell me this is clean. The company need to limit the full access only to a limited number of people but even for this the responsibility is in the customer, not the web hosting company.

.

So SURE for Medical personal DAta and also Financial personal data and lot more this is against the LAW and not true , i''m no LAWYER but you can read a part here if you want>

https://digitalguardian.com/blog/healthcare-security-understanding-hipaa-compliance-and-its-role-patient-data-protection

There is and be noway never need to read usermails, if problems with typical mails you can ask them before and have some tests with permission and so on.
So it should not be the other way arround! ( even if someone died, you have to ask for special permission to have emails read! )

So it is a v ery easy reasonable technical and organisational possible to noy have the option to void this

het briefgeheim the confidentiality of mail
briefgeheim inviolability of the mail

Then you have to take care for that.

That mails are in clear txt on server yup is other thing you have to take care of depending which level the DATA itself is. (For medical also not allowed)

Arcg you can read the starting post links here then you have if reading clear how LAW in Germany / EU handling such for IT.

OYEA and if they do there reading and so, then has to be a very very good reason and also impossible to delete LOG / AUDIT for such actions from sysadmins. ( permission should be there before mostly to)

No need you can do your tasks without! ( that it is only more easy with is no reason at all )
Then this aply's also:

Das Fernmeldegeheimnis untersagt, sich oder anderen über das für die geschäftsmäßige Erbringung der Telekommunikationsdienste einschließlich des Schutzes ihrer technischen Systeme erforderliche Maß hinaus Kenntnis vom Inhalt oder den näheren Umständen der Telekommunikation zu verschaffen (§ 88 Abs. 3 S. 1 TKG).

https://dejure.org/gesetze/TKG/88.html so simple it is.

If you have such option button and klick you can see direct forbidden content for your eyes or the eyes for that account! i don't think that is OK.

( so you have that option but the moment you klick you're mayby allready in problems even if you didn't want to read mails at all.

Every ADMIN or User wo has such option can become in VERY BIG problems when a Company have Legal problems and therefore insight in DATA and who has ACCESED. ( if leaked information no one knows who then you admin can be hold responsable even if you didn't leak)

So very very high LEGAL risks with such options possible even if switched of you can enable easy!

Normally everytime someone not having special permission reading or accesing personal DATA or mail.
Then you have to make a reporting of data breaches , your BOSS COMPANY and your Users has to!

HOW do you know you have that permission from the mailsenders?

https://autoriteitpersoonsgegevens.nl/nl/onderwerpen/beveiliging/meldplicht-datalekken

Dutch email > https://www.rijksoverheid.nl/actueel/nieuws/2017/07/11/grondwet-bij-de-tijd-e-mail-ook-onder-briefgeheim

So simpel it is a "postmen" and POSTAGE Firms aren't allowed to open/read any letters without personal permission, only special condition by LAW for national security and co. Permission sender and receiver!

blueice · Aug 26, 2019

Hello,
bellow is my answers:

ikkeben said:
IT is common and normal to have user data itself protected with depending on which level the normal or most strict reasonable protection.

That is also FOR admins.

I know the above, however can you please provide the part of the GDPR that forbid to the master administrator of the company to have access to the user data?
Otherwise we just talk for our opinions.

ikkeben said:
Sorry don't agree in Germany for more then 30 Years in IT now.
Even other custommers or members from that company / custommer is not allowed to get direct easy acces to such (personal) data.

sure but we talk for master admin, not for just members

ikkeben said:
Other software as told emailserver David/TOBIT has such option ( completly protect access/reading against admins and co) for over25 years now.

As administrators you have always access, but no right to read without permission! ( is not only GDPR !)

if a company require this then they can just use David/TOBIT.
This have nothing to do with the auto login feature because in directadmin the admins have already very very easy way to read users emails even without auto login.
If you want to suggest a option to really forbid access to admins in order to use the data then i think it is better to write in the Feature Requests part of the forum.
But keep in mind that in order to really provide this feature need a huge of changes (different encryption of the user folders (without give option to admins to decrypt the data but allow mysql, apache, exim etc to decrypt the data) etc).

ikkeben said:
Ask you lawyer again while this is already since 1977 or so in Germany and other countrys as >

And yes i have experience beeing "punished" for such things already in real live for more then 20 years ago!

so every hosting in the last decades in Germany that use cpanel, directadmin and plesk is not compatible with this law?

ikkeben said:
Please don't give wrong Juristic advice, i am also not a Lawyer or Jurist so i can't do to.

i have write in my previous post:
" I am now lawyer but this companies have lawyer i have just do the technical part under the lawyer guidelines. I share here my experience:"
So is not clear that i just share my experience like you do? if it is clean why you say this?

Also i want to be clean that i understand and respect your opinions (and every opinion in the forum).
However the auto login feature is a requested from many of us and also from many or our customers. For this reason it is important to keep separate the GDPR things from this feature because in reality and based on your words the easy access for the administrator (that already happen in almost all panels) have already break the law. So instead to write for just this feature it is better to write general for the changes that need to happen in order to be compatible with GDPR. And it is good, when we post a suggestion to share also the link of the part of the law who require this, so can be clean that this is not a opinion but a fact.
It is important also to separate what is the restrictions of the users and of the master admin, because if the restrictions is the same then the administration just can't happen.
Thank you

ikkeben · Aug 26, 2019

blueice said:
Hello,
bellow is my answers:

I know the above, however can you please provide the part of the GDPR that forbid to the master administrator of the company to have access to the user data?
Otherwise we just talk for our opinions.

sure but we talk for master admin, not for just members

if a company require this then they can just use David/TOBIT.
This have nothing to do with the auto login feature because in directadmin the admins have already very very easy way to read users emails even without auto login.
If you want to suggest a option to really forbid access to admins in order to use the data then i think it is better to write in the Feature Requests part of the forum.
But keep in mind that in order to really provide this feature need a huge of changes (different encryption of the user folders (without give option to admins to decrypt the data but allow mysql, apache, exim etc to decrypt the data) etc).

so every hosting in the last decades in Germany that use cpanel, directadmin and plesk is not compatible with this law?

i have write in my previous post:
" I am now lawyer but this companies have lawyer i have just do the technical part under the lawyer guidelines. I share here my experience:"
So is not clear that i just share my experience like you do? if it is clean why you say this?

Also i want to be clean that i understand and respect your opinions (and every opinion in the forum).
However the auto login feature is a requested from many of us and also from many or our customers. For this reason it is important to keep separate the GDPR things from this feature because in reality and based on your words the easy access for the administrator (that already happen in almost all panels) have already break the law. So instead to write for just this feature it is better to write general for the changes that need to happen in order to be compatible with GDPR. And it is good, when we post a suggestion to share also the link of the part of the law who require this, so can be clean that this is not a opinion but a fact.
It is important also to separate what is the restrictions of the users and of the master admin, because if the restrictions is the same then the administration just can't happen.
Thank you

It is already much longer for some levels against the LAW having data / emails unencrypted on Server or elsewhere!

As saying those older LAWS so not only GDPR are have strict rules , acceesing reading personal data and so also mails and letters, also longer.

That it is possible in other ways doesn't mean you can / may make it simpler, while then there is not a reasonable protection anymore at the state of technical possible, you're weakening such!

So much that LAWS yup or PRIVACY concerned organisation can open LAW suites and such kind against Company's using such systems, becaue of such weak prossible protecetion which has no need at all to have acces and read acces out of the blue direct from PANEL.

Simple there is no need, only that it makes life more simpler for ADMINS is not a LEGAL reason to have such !

I gave links you didn't read i gues!

NO need means! ( not do it while more easy) old GERMAN LAW FACT . https://dejure.org/gesetze/TKG/88.html

Obligors pursuant to paragraph 2 shall be prohibited from obtaining for themselves or for others, beyond what is necessary for the commercial provision of telecommunications services, including the protection of their technical systems, knowledge of the content or the specific circumstances of telecommunications.

DUTCH LAW fact: ( only out of 1 LAW there are more)

It is punishable for example for internet providers to read without good reason in the e-mail correspondence of a customer on the basis of article 273d of the Dutch Penal Code, article 273 paragraph d.

So being lazy is no good reason i expect.

As company i don't want my Serveradmins OR anyuser makes the RISK for me to have ILEGAL reading of mails and leaking so easy without even have the option you can check in AUDIT/LOG files that they can't change / delete for proof), is highly carelessness and therefore .........

Also if more leaks hapen, maybe because of this, or more knowledge at the Privacy concerned Legal instance , it is possible to get a forbidden use of..., so the risk of getting this in the open public that those control panels are voilating some possible security for reading other persons mails out of the control panel direct is also high.

It is just started more and more complains and lawsuites and instances has no manpower but ..................

If everyone with some normal human sense i think you all can know that other reading such easy mails without permission can become BIG PROBLEM!

Asking for this is no state of the art technical and organisational measurement in contrary , so already obsolete now or in near future if more commonly known at....

We are going this way in near future with GDPR i expect you asked for it hihi

https://webbkoll.dataskydd.net/en/

Richard G · Aug 26, 2019

I know the above, however can you please provide the part of the GDPR that forbid to the master administrator of the company to have access to the user data?
Otherwise we just talk for our opinions.

We're not talking about a company, because in those cases there can be special things made in contract by the boss and the boss is the owner of the ICT system in the company. This is a significant difference!

In this case we're talking about hosting, where the customer is renting (so is boss) about the ICT. In those cases you have the fact of data protection in GPDR. You have to have explicit permission of the user, to be allowed to check and enter his mail. As you can also read from the law article presented by ikkeben. But it's also prohibited by AVG.

It's not a discussion about opinion, it's a fact. It's not for nothing we all need data protection and data processing agreements with the user. So we are talking about how to do this correctly.

What could be correct is to either get permission every time from the user when he want's you to fix things or you need to access his email. Another way is to put some text in the Agreement Terms, that when the customer agre's to the Agreement Termens, he also specifically allows the sysadmin direct access to mail and database if needed for fixing problems.

The choice is thee. I'm not even sure if putting such thing in a customer agreement is enough. But if you have a ticket system and you ask the user if you can access his mail to fix things and he answers yes, then you also have proof that you are allowed. You can also ask him if that goes for any time or only this time. That way you also have proof of permittence.

But you can't access these things without the customers consule, that is against privacy and possible other laws.

because in directadmin the admins have already very very easy way to read users emails even without auto login.

That is not true. It's eays yes, but it's not very very easy. That is being done by creating the auto login. Without it, you have to search mails, you only see code and don't know any subject.
Easy to read because it's plaintext. But as said AVG/GPDR is to protect privacy, not to make access to privacy violations even a lot easier. It's a grey area, but I don't think this will pass when an audit is done.

However the auto login feature is a requested from many of us and also from many or our customers. For this reason it is important to keep separate the GDPR things from this feature

No certainly NOT. I also respection your opinions and comments. But you can't ignore AVG/GPDR just because a lot of people want something. Even more people dislike cookies and want them to be gone, but it's law and they won't go away.
So also as soon as you change something in the system, which might interfere with privacy regulations (AVG/GPDR) and/or law, you have to take that into consideration and think about if it even can be done and what the legal effects are.
You just can't put these things seperately like you want.
You can discuss it seperately (which we are doing now) but you can't see them seperately because it's e-mail, so only for that reason it's already part of the AVG/GPDR because email is personal item which falls under privacy. Just like an alias, ip address, phone number, etc..

ikkeben · Aug 26, 2019

TRy to translate this 11 years article old exact about the risks for that and having no need at all
Also pointing out that short sentence :
New "lazy" generation point-and-click "badmins" and .... much more higher risks with that.

https://www.computable.nl/artikel/achtergrond/beheer/2671318/1444691/macht-verleidt-beheerder.html

Geen complete inzage

Daarnaast valt er ook aan de technische kant één en ander te verbeteren, stelt Laan. "Er bestaan al systemen die de systeembeheerder niet complete inzage in alle data geven. Alle data kan standaard gecodeerd (encrypted) worden opgeslagen en kan ook zo over het netwerk worden gestuurd. Alleen degene die inzage in de data moet hebben, zou hiervan de (digitale) sleutel moeten hebben."

"Voor het werk dat systeembeheerders doen is het meestal helemaal niet nodig om alle informatie van iedereen te kunnen zien. En mocht het nodig zijn, dan zou dat alleen moeten kunnen met medewerking van personen die normaal gesproken ook bij de informatie kunnen. Of in een uitzonderlijk geval met medewerking van het hoger management."

Deze gedegen, veilige aanpak heeft ook een nadeel, merkt Laan zelf al op: "Een dergelijke opstelling maakt het forensisch onderzoek naar frauderende medewerkers natuurlijk wel wat lastiger."
Belastinggegevens verkocht
Belastingdienst

Belastinggegevens van rekeninghouders in Lichtenstein waren te koop.

Lezer Jan van Leeuwen ziet wel degelijk beren op de weg: "Ik ben lang systeembeheerder geweest en heb altijd toegang tot alle gegevens gehad. Dat betekent niet dat je naar believen gaat snuffelen. Normaal is daarvoor ook geen tijd, maar met een nieuwe generatie van point-and-click beheerders kunnen misschien meer problemen verwacht worden. Ook omdat ze het goede voorbeeld van hun directie krijgen, die met miljoenen gaat schuiven en die daar ook niet bepaald eerlijk aan gekomen zijn.

So if you are diong this for yourself while it is your own company , you are the one having extra risks.

If your company is doing using this, they are proofen at extra high risk, (admin rights, snowden, bradley, ...papers and so more are skandals having not enough protection in IT system management itself against own inside personal)

MOST DATA BREACHES ARE probable based on "legal" access from own Personal.

It is even possible someone traps you / ad,mins into sending data and accusing you afterwards, so this person who told you i can't send out this mail can you try for me!

IT security LAW GDPR EU AVG some links to documents in EN DE NL guidelines and GDPR

ikkeben

Verified User

Richard G

Verified User

BBM

Verified User

ikkeben

Verified User

BBM

Verified User

ikkeben

Verified User

blueice

Verified User

ikkeben

Verified User

blueice

Verified User

ikkeben

Verified User

Richard G

Verified User

ikkeben

Verified User