lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20030416104344.A10091@redline.ne2.client2.attbi.com>
From: jkinz at kinz.org (Jeff Kinz)
Subject: Re: [issa-international] Re: Confidentiality statement on email

On Wed, Apr 16, 2003 at 09:35:33AM -0400, Bernie, CTA wrote:
> On 15 Apr 2003, at 20:41, Ken Burns wrote:
> > What is the point in using these confidentiality statements?
> > 
> > My issues with them are that they are regularly posted to mail
> > lists like this one, and are often posted on the emails that
> > advise you pass this on to at least X# aditional people or you
> > will have interminable bad luck.  The point bieing that they are
> > regularly disseminated on emails that are intended for public
> > distribution.
> > 
> > They are also regularly found on other joke & junk emails that
> > have nothing to do with any corporate business.
> > 
> > Additionally, they are placed at the bottom of the message, where
> > they are least likely to get read.  Honestly folks, when was the
> > last time you read one of these on an e-mail you received?
> > 
> > Has anybody  ever seen one of these confidentiality statements
> > make one iota of difference (other than to jusify a lawyers
> > existence [and billability] for the day he/she composed it)?
> > 
> > I would seriously like to know if they have any redeeming value.
> I can tell you first hand that a privacy statement on the bottom 
> of an email has significance from a legal evidence standpoint.  

No it doesn't.  Well, yes it does.  If your company is smart.
Your's is.  Very.

Since the email you cite below was a private communication, (ie person
to person and not posted to a list), the private communication argument
might have applied even if the notice had not been there since it was
a private communication. But having it there certainly helped because
your company doesn't put them on every outgoing email as some do.

You work at a Very Smart company. Most businesses who use these notices
haven't figured this out.

When a stupid company (as defined by the following action) puts
that notice on every outgoing email, most of which are not private
communications, or don't contain confidential information, all they are
doing is making themselves look clueless and wasting bandwidth.

As a further impact they may actually be nullifying the intent of notice.
By indiscriminately putting it on every email message they create a
situation where they can't sue someone who does re-distribute truly
confidential info because that person can show that the notice is used
on things that are not confidential and therefore the notice is not an
indication that the material is confidential.

If a company wants these notices to actually do what they are intended to
do they should only be placed on emails which do contain confidential info
and they must delete the phrase "may contain confidential information" and
replace it with "contains confidential information" (dropping the "may" ).

> My former company and I were involved in a US civil lawsuit 
> where the opposing side attempted to introduce an email as 
> evidence.  This email had our standard privacy/confidentially 
> disclosure at the end and was sent from me to another party 
> who was not connected with the lawsuit. Our attorney objected 
> to the use of the email arguing that it was a private and possibly 
> privileged communication, and that release of its contents could 
> violate the privacy rights of the receiving party. 
> 
> By the way, there was also a discussion as to the authenticity 
> and validity of the privacy / confidentiality statement. The court 
> wanted to know if our company had mandated the use of such 
> statements in its policies for private communications, if it was 
> recommended and reviewed by our attorneys, and if we used 
> the Privacy Statement on all email. The answer was yes to the 
> first two questions, and no to the last, as we only used the 
> Privacy Statement on email that we believed to be private and 
> confidential. Apparently, these questions were directed to 
> establish the bases for good faith effort by our company to 
> establish, implement and maintain a privacy policy and 
> mechanism that we believed protected the content of any email 
> sent with such a privacy statement.
> 
> The opposing side rebutted claiming that the email was sent via 
> the Internet (a public network), and therefore it and its contents 
> were not private. The court disagreed stating that while the 
> communications medium was public the contents of the email 
> were not, as the sender intended it to be released only to the 
> named recipient.
> 
> Since the recipient was not a party to the lawsuit and did not 
> release/wave its privacy rights the Judge ruled that the email's 
> contents including its subject were intended to be private, to a 
> disinterested party and therefore inadmissible.
> 
> My sage advice is: 
> 
> a) Establish a written Privacy Policy identifying the use of email 
> privacy statements, 
> 
> b) Prepare an Email Privacy Statement and have an attorney 
> review and provide a letter of recommendation for its use.
> 
> c) Implement the Privacy Statement and practices to include it 
> on all email that you consider private and or confidential 
> between you and the recipient(s).

Very good advice to which I would add:

The policy should require that the notice NOT be put on emails which 
are distributed to public or semi-private email lists.
(semi private lists are lists which your company does not control
who can join it.)


-- 
Jeff Kinz, Open-PC, Emergent Research,  Hudson, MA.  jkinz@...z.org
copyright 2003.  Use is restricted. Any use is an 
acceptance of the offer at http://www.kinz.org/policy.html.
Don't forget to change your password often.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ