E-mail Confidential

[InfoSec News <isn () c4i org>]

http://slate.msn.com/id/2101561/

By Jack Shafer
June 1, 2004

The other day, a Time Inc. journalist of my acquaintance sent me an 
e-mail from his corporate e-mail account. I read it quickly and was 
about to hit the delete icon when I spotted this extraordinary 
114-word "disclaimer" sloshing around at the bottom. It read:

 This message is the property of Time Inc. or its affiliates. It may 
 be legally privileged and/or confidential and is intended only for the 
 use of the addressee(s). No addressee should forward, print, copy, or 
 otherwise reproduce this message in any manner that would allow it to 
 be viewed by any individual not originally listed as a recipient. If 
 the reader of this message is not the intended recipient, you are 
 hereby notified that any unauthorized disclosure, dissemination, 
 distribution, copying or the taking of any action in reliance on the 
 information herein is strictly prohibited. If you have received this 
 communication in error, please immediately notify the sender and 
 delete this message.

 Thank you.

Ignoring the e-mail's threats, I forwarded it to my 175-pound Samoan
attorney for his opinion, and he convinced me that Time Inc. has much
more to fear from me than I have to fear from Time Inc. In fine
Socratic fashion, my counsel walked me through the disclaimer,
sentence by sentence, encouraging me to add my own thinking to our
exercise. Here are my notes.


 This message is the property of Time Inc. or its affiliates. 

My attorney noted that it's probably true in the technical sense that 
an e-mail message from one of its employees sent via Time Inc.'s 
e-mail system is Time Inc.'s property. For that reason, Time Inc. 
employees should probably use their personal e-mail accounts for 
personal notes. 

But sending me an e-mail - like sending a letter—creates an implied 
license for certain uses. What sort of uses? Surely I have the right 
to delete it or to print it for my records. I know of nothing in U.S. 
law that would bar me from sharing it with my friends or even quoting 
the message in print. Of course, there are limits to what one can do 
with e-mail or other correspondence. U.S. copyright law gives every 
letter and laundry list automatic copyright protection, so if you 
published a slew of e-mail from a correspondent and he sued you 
alleging copyright infringement, a court might find that you deprived 
him of the financial rewards of his literary labors and render a 
decision against you. But I doubt very much if that's going to apply 
to one in a billion e-mails.

The first sentence of the Time Inc. disclaimer also got me to 
thinking: If the message is Time Inc.'s corporate "property," what is 
it doing in my in-box without an invitation? Trespassing? 


 It may be legally privileged and/or confidential and is intended only 
 for the use of the addressee(s). 

Or it may not be, as my attorney noted. Correspondence between an
attorney and his client is usually considered "legally privileged,"  
but an e-mail from a Time Inc. wage slave to me? Not automatically. If
the message is privileged or confidential, shouldn't Time Inc. let me
know and not leave me dangling with the vague "may be" language? And
when the disclaimer declares the message is "intended only for the use
of the addressee(s)," to what "use" is it referring? Reading and
burning it?


 No addressee should forward, print, copy, or otherwise reproduce this 
 message in any manner that would allow it to be viewed by any 
 individual not originally listed as a recipient.

Note the operative word, "should." My attorney says this is nothing
more than a request - only a fool would consider it a binding
contract.

 If the reader of this message is not the intended recipient, you are 
 hereby notified that any unauthorized disclosure, dissemination, 
 distribution, copying or the taking of any action in reliance on the 
 information herein is strictly prohibited. 

My Samoan attorney says Time Inc. might have a case if the message 
contained a trade secret intended for a recipient other than me and I 
distributed it. But sending a confidential or valuable message via 
insecure e-mail is a funny way to preserve a secret. If Time Inc. 
wants to keep its communications safe, it should invest in some sort 
of encryption software that allows privileged readers to open the mail 
but prevents them from forwarding, printing, or otherwise duplicating 
it. Microsoft, which publishes Slate, even makes a product for such 
occasions. 

 If you have received this communication in error, please immediately 
 notify the sender and delete this message.

This, too, is only a request. (See above.)

The oddest thing about the Time Inc. disclaimer isn't its dubious
legal language, but its placement at the bottom of the e-mail message.  
It's one thing to ask a correspondent to agree to terms of
confidentiality before they read the message, but to dictate the terms
afterwards? Ridiculous! If you really want to get the goat of a Time
Inc. journalist, send him some extraordinary dish about your company
via e-mail but then type the Time Inc. disclaimer into the end,
substituting your company's name for that of Time Inc.

As stupid as the Time Inc. disclaimer may be, they come a lot
stupider. In 2001, the Register, a U.K. information technology Web
site, enlisted its readers to gather the longest, most PC, and most
incomprehensible disclaimers on the Internet.

-=-

After reading, please burn this Web posting and then send your most
hilarious disclaimer to pressbox () hotmail com. (E-mail may be quoted by
name unless the writer stipulates otherwise.)

Jack Shafer is Slate's editor at large.



_________________________________________
ISN mailing list
Sponsored by: OSVDB.org