0

I would like to send emails from a server, but also make them unable to trace for me as server owner or attackers. I want this for GDPR but also to protect people from abusers.

Short info about service: I am a provider of a service as a person, not a company. Emails will be tied to product (invites and service content) with 0 marketing, there will be rate limits preventing spamming, emails will be triggered only by real users, users won't be able to send just any email, but rather use specific templates, nonusers will be receiving emails too (invites).

Will it be enough to just store emails hashed and salted with one system-wide salt value? My main concern is mostly nonusers as I can't have their consent before emailing them. So I could provide them a way to block abusers or all emails from my server with just storing hashed and salted email and comparing every request to send email against it.

Another problem is, how can I prove that some user gave me consent to receive past emails? Is stored hashed and salted value enough?

Do you know how other big services like Gmail, Mailgun, etc solved this?

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Your service allows *others* to send emails? That's not clear in your post. – schroeder Jan 30 '21 at 08:28
  • I have heard from a GDPR legal expert that a hashed email address is still personal data because it is still a unique and traceable record of an individual. Also note that there are anti-abuse exceptions to GDPR, but iirc you'll need proper language in your terms of service to get that right. This post is not itself legal advice and if it sounds good then you should pursue actual legal advice. – Adam Katz Jan 31 '21 at 20:26
  • @schroeder yes, that was intention, but only sending prepared templates, not emailing freely whatever user try. –  Feb 01 '21 at 20:41
  • @AdamKatz thank you, yes, it seems so, only if I ditched salt after hashing, but then, it would be quite useless. –  Feb 01 '21 at 20:43

1 Answers1

0

You might be over-thinking the problem. In order to record consent, you need to store the PII. It is ok that it is stored un-hashed.

You appear to want to hash the emails as a layer of protection, but I would rather that a service spends time protecting access to this stored information. If an attacker can get access to the hashed emails, then you can assume that they also have access to the salt, and access to other data that would allow the attacker to guess or test emails. So, I'm not sure if hashing will ultimately do any good.

What big services do is to restrict access to the data.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Thank you. Yes, I am aware, that salting is useful only if you can gurantee attacker won't be able to gain salt. Which comes with importance of security. Sadly in this scope I think nothing is really buletproof as I can't compete with top security of big services. –  Feb 01 '21 at 20:40