Peer network FAQ
What data is shared?
- The data (we call them signals) relates to threats encountered by your Lightmeter installation, as well as information which identifies your installation, in order to prevent abuse (e.g. to prevent people sending fake reports, or spoofing identities in order to get the wrong server blocked). Only information required to enable Lightmeter features is collected or shared.
More specifically: an instance ID for each Lightmeter installation, the email address of the Lightmeter admin user (never shared with others), and the IP addresses of devices which attempt to login to the mail server.
What about personal data?
- IP addresses are shared, e.g. for detecting SMTP authentication attempts, in order to detect attacks and warn other Lightmeter about servers which should not be trusted. The times of requests from these IPs are also shared to detect attack patterns, and attempts to evade blocking.
- The email address of the lightmeter installation administrator is also shared with a central server for verifying reports from that installation and preventing abuse. This is the single email address which is provided during registration. It is never shared with third parties (or other Lightmeter peers).
- Statistics such as the percentage of mail that bounced is shared, in order to provide mailserver automation features.
- The addresses, contents, and metadata from emails are never shared in any form.
How can I see what’s sent?
- The Telemetry page in your Lightmeter installation shows the complete contents of the most recently shared data signals so you can check it. To save storage space older reports are automatically purged.
How much bandwidth does it use?
- Not much – a typical Lightmeter installation will use less than 1mb per hour.
How often are signals sent?
- It varies, but typically multiple times per hour. This enables faster detection and protection for Lightmeter peers within the network (outdated attack information isn’t nearly as useful).
What is the data used for?
- The data is used to benefit other Lightmeter users by firstly checking that it is authentic (and not abusive) and secondly by cooperatively sharing threats among mailops admins. It is also used to design and build additional mailserver automation features to make hosting email easier in future.
Who has access to data that’s shared?
- Lightmeter core team members who need access to build and test Lightmeter features have access to all the shared data, and derivative data in the form of e.g. threat reports is available to other Lightmeter users through their installations, in order to enable certain Lightmeter features to work.
What is the legal basis for collecting this data?
Can I turn sharing off?
- To avoid sending signals use a version of Lightmeter which does not include related features (e.g. Lightmeter 1.8.2). To seed the crowdsourced dataset with enough reports Lightmeter 1.9 does not allow turning them off.
- We understand that it might be necessary for users in certain situations to switch them off. If that’s you, please let us know so we can understand your use-case and determine how to best make Lightmeter work for you going forward. We’re listening to feedback and will review this decision for future releases.
How does it affect my users?
- The IP addresses of attempted SMTP authentications are shared in order to identify attackers. This is identifying information under the GDPR, shared on the basis of legitimate interest of you to provide a reliable email service to your users.
What if my question wasn’t answered?