Peer network FAQ

What data is shared?

The data (we call them signals) relates to threats encountered by your Lightmeter installation, as well as information which identifies your installation, in order to prevent abuse (e.g. to prevent people sending fake reports, or spoofing identities in order to get the wrong server blocked). Only information required to enable Lightmeter features is collected or shared.

More specifically: an instance ID for each Lightmeter installation, the email address of the Lightmeter admin user (never shared with others), and the IP addresses of devices which attempt to login to the mail server.

Full details of information used for all purposes (including this website) and the legal basis for each under the GDPR is stated in the Lightmeter Privacy Policy.

What about personal data?

IP addresses are shared, e.g. for detecting SMTP authentication attempts, in order to detect attacks and warn other Lightmeter about servers which should not be trusted. The times of requests from these IPs are also shared to detect attack patterns, and attempts to evade blocking.
The email address of the lightmeter installation administrator is also shared with a central server for verifying reports from that installation and preventing abuse. This is the single email address which is provided during registration. It is never shared with third parties (or other Lightmeter peers).
Statistics such as the percentage of mail that bounced is shared, in order to provide mailserver automation features.
The addresses, contents, and metadata from emails are never shared in any form.

How can I see what’s sent?

The Telemetry page in your Lightmeter installation shows the complete contents of the most recently shared data signals so you can check it. To save storage space older reports are automatically purged.

How much bandwidth does it use?

Not much – a typical Lightmeter installation will use less than 1mb per hour.

How often are signals sent?

It varies, but typically multiple times per hour. This enables faster detection and protection for Lightmeter peers within the network (outdated attack information isn’t nearly as useful).

What is the data used for?

The data is used to benefit other Lightmeter users by firstly checking that it is authentic (and not abusive) and secondly by cooperatively sharing threats among mailops admins. It is also used to design and build additional mailserver automation features to make hosting email easier in future.

Who has access to data that’s shared?

Lightmeter core team members who need access to build and test Lightmeter features have access to all the shared data, and derivative data in the form of e.g. threat reports is available to other Lightmeter users through their installations, in order to enable certain Lightmeter features to work.

What is the legal basis for collecting this data?

Sending signals is necessary for Lightmeter to work as intended, and providing the features that Lightmeter users have requested. All versions of Lightmeter which send signals depend upon a service agreement which Lightmeter users enter into when they register to use the application. See our Privacy Policy for details.
Sending signals which include some identifying information about end-users of the mail server (e.g. mailbox users) is desirable for the secure and efficient operation of the host’s email network. That is a legitimate interest of the administrator of a given Lightmeter installation. See our Privacy Policy for details.

To avoid sending signals use a version of Lightmeter which does not include related features (e.g. Lightmeter 1.8.2). To seed the crowdsourced dataset with enough reports Lightmeter 1.9 does not allow turning them off.
We understand that it might be necessary for users in certain situations to switch them off. If that’s you, please let us know so we can understand your use-case and determine how to best make Lightmeter work for you going forward. We’re listening to feedback and will review this decision for future releases.

How does it affect my users?

The IP addresses of attempted SMTP authentications are shared in order to identify attackers. This is identifying information under the GDPR, shared on the basis of legitimate interest of you to provide a reliable email service to your users.
You may want to inform your users that this information is being shared with Lightmeter (for example in your own Privacy Policy / Notice). The GDPR may be interpreted differently in each country, and we cannot provide legal advice, but the following example may be useful for your own use:

We use Lightmeter to monitor our email servers’ security and performance. This includes a service provided by Lightmeter Ltd, Kemp House, 160 City Road, London, United Kingdom, EC1V 2NX (‘Lightmeter’). If you use our hosted email service then data such as your IP address and the time that you connect to SMTP servers is processed. The legal basis is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in the analysis and optimization of our email servers. Further information about the collection and use of data, as well as your rights and protection options, is in Lightmeter’s privacy policy at https://lightmeter.io/privacy.

What if my question wasn’t answered?

Check out the original peer network announcement, and our Privacy Policy. The policy includes how the data is stored, kept secure, for how long, and much more. For other questions you can ask us directly (we’d love to hear from you!) at hello@lightmeter.io.