Slashdot is powered by your submissions, so send in your scoop


Forgot your password?
The Almighty Buck

Document Retention And E-mail 174

innocent_white_lamb writes "An interesting column by Jim Carroll about email within companies, document retention, how hard it is to actually get rid of an email, and how all of this can come back to bite you later on. "
This discussion has been archived. No new comments can be posted.

Document Retention And E-mail

Comments Filter:
  • Hrm. (Score:1, Insightful)

    by autopr0n ( 534291 )
    Of course, you could also just not do anything evil to begin with...
    • by Anonymous Coward
      One of my company's senior managers started keeping a copy of every e-mail he sent or received because he got burned in the usual "you said this..., no that is'nt what I said..." that goes on in any office. After 2 years he had 6Gb in his Outlook .pst file.
      • Hey, as long as he had it in a .pst on a client machine and not on a server.. good for him. It's when that 6gb is sucking up server space when that starts to suck.

        • It's when that 6gb is sucking up server space when that starts to suck.

          Oh I don't know - GB sized .pst files anywhere seem to give Outlook fits. I'm alwasy amazed at people who have all their email in ONE folder and complain about sluggishness. They're amazed when we tell them they can file stuff in folders both on and off the server.

          As for storage of email - I've never really figured this out. Yes, some companies log email, etc, etc. Stuff gets caught on backup tapes, etc. But even then stuff drops out after a while. As an IT manager, I'd almost WANT to ditch email serve rbackup tapes after 6 months to a year, less legal hassles :)

          Besides - if its not on the server or the defendants machine (IANAL) - its tough to use as evidence - I mean you can spoof an email easily if you're the plaintiff to make it LOOK like someone sent something. Now do courts understand that? I doubt it :)

      • This story is impossible, there is a very hard limit to pst's at 2GB. It is due to the fact that pst's are just an implementation of the archaic microsoft JET database, a system that dates back to the late 80's. This is one of the most glaring bugs (other than the security problems) left in Outlook. I can't count the number of people that have lost email because their .pst went over 2GB. Until recently there wasn't even a way to recover the file, but there is now a tool that will allow you to shave off some of the end of the .pst file so that you can at least recover most of your old email.
      • I keep everything too:

        du -k ~/.netscape/nsmail
        296495 /home/ethereal/.netscape/nsmail

        This is for almost four years at this particular company. I'm not up to boss-like standards (of course, the fact that I can communicate without using .doc and .ppt files probably helps) but it's still a hefty archive.

        Is it useful? Often it is - I have exact records of all my correspondence for the last four years, sorted by date, topic, etc. as I want it. And when all else fails, I can grep for the text in the message that I want. Of course, it helps that I religiously file mail into folders so that my inbox only contains email about tasks I haven't completed yet.

        Frankly, I don't see how I could live with the example quoted in the article of deleting everything over 30 days old. I would be unable to function without reference to technical discussions, product release information, and the latest management diktats from 30 days, 3 months, or even three years ago (OK, maybe I could live without the mgmt stuff :). Do these companies with such a destruction policy just convert all their important email into other documents so that they can maintain state past 30 days? I honestly don't understand how you could just throw all that information away and hope to keep your business rolling forward. Maybe someone can enlighten me...

  • by rdl ( 4744 ) <> on Wednesday March 13, 2002 @08:28AM (#3155698) Homepage
    (Disclaimer: I'm cofounder and cto of HavenCo [], an offshore colo and supporting services company on Sealand)

    This is one of the main reasons people put email servers offshore now, even if they're operating onshore. This got started with HavenCo's gaming clients, but we now have general-purpose mail server customers who just want to company with their existing onshore document retention policies without the risk of someone subpoenaing their mail server and then trying to recover the disk.

    One of the features I'm working on now is some basic intelligence to detect out-of-character behavior by a mail server client -- such as attempting to download all messages, which would indicate they've been subpoenaed. If that happens, then we would attempt to contact the customer and get positive confirmation that they are *not* being investigated before allowing the transaction to continue. It's a trade-off between allowing normal function and protecting against legal attacks.

    Perhaps an extension of normal document retention policies for companies can be to keep them locally for 3-6 months, then move them to offshore "cold storage" where they will only be released when the offshore agent holding the files is certain a request is not due to legal duress. Trade a bit of latency for a lot of security, and otherwise the documents get destroyed anyway.
    • by Anonymous Coward
      You'd still have to prevent mail from being stored on your employees' machines.
      • Yes. Most of our clients for email use secure imap with mail kept on the server, or use web-based mail systems (which offer ticketing and other features as well)

        The ultimate system would involve secure laptops with no local unencrypted state -- using RAM for cache, and/or encrypted disk, but requiring connections to a non-US location to unlock the encrypted disk each time the machine is used. You could easily replicate the unlock servers for fault tolerance, and with a cell modem you can easily get a few hundred bytes exchanged from almost anywhere. Desktops and local servers could be handled the same way -- no local unencrypted state when powered off, and no way to unlock them without positive assistance from outside the jurisdiction, which would be revoked if there is evidence of an attack.
        • I still don't get it. If I'm a disgruntled employee (say the company just collapsed and I've just been laid off and feel cheated), what's to stop me making a copy of any email to which I have access?

          Saying "secure server" and "secure client" doesn't cut it. As long as I have reasonable access to my computer, I can make a copy. If the computer can display it for me to read, I can copy it.

          Surely SeaLand protects against something else completely!
    • yada, yada, yada... totally missing the point!

      There's no need for any legal request for the email - employees will dig them out to protect their own backs and to break the backs of others!

      Doesn't matter where the server is, or how many you have there's always going to be masses of duplication - local folders holding copies and such like. How do you handle this? Putting your server on a piss-forsaken rock isn't going to help!
      • Employees will use them against their employers, but the much larger risk is outside discovery motions. The Microsoft trial was a good example -- none of the Microsoft employees whose email was subpoenaed benefitted from that. When the really-bad-attitude list was taken from Netscape, none of the list members really wanted that, either.

        There are threats from inside and threats from outside, and having a document retention (==destruction) policy will protect against outside threats. It will not protect against employees blackmailing their employers.

        However, if an employee keeps copies of mail in violation of a document retention policy, that employee can be sued separately. I imagine federal whistleblower laws might offer some protection, but in the case of a civil suit between companies, if an employee maintains a banned archive and then sells access to that archive to the other company's legal team, the employee is likely to suffer.
        • External threats are minor compared with the everyday risks of not being able to cover your back.

          It's just that Joe Programmer being fired because he couldnt prove the customer asked for what he provided and then the customer changed his mind later doesnt exactly make the news headlines the same way.
      • What about using IMAP?

        I know what you're going to say to that: the users could easily save local copies of the message to their hard drive. If the company standardizes on an in-house e-mail client (or a mail client that comes with source code), then they can remove any features that they don't like, such as saving local copies.

        It doesn't stop someone from printing out an e-mail, using cut 'n' paste, etc. However, it's a lot better than using POP.
        • Alt-PrtSc, Print to FILE:, IMAP proxy, packet sniffer/logger, where do I begin (and that's after 5 seconds of thought, there are likely lots of other ways)? You can't have an enforceable Draconian email policy to cover the company's ass and have people be able to read their email from home.

          If I worked at such a place (while I was looking for another job), you can bet I'd be archiving everything that might ever be relevant. In fact, if I were ever involved in legal action against them, my lawyer might just make some hay of the lengths to which they went to try to keep me from preserving the evidence against them.

    • Check out the message from Sealand offering its services [] to the US in the fight against terrorism. Laugh ? I nearly fell off my chair.
    • This is one of the main reasons people put email servers offshore now, even if they're operating onshore. This got started with HavenCo's gaming clients, but we now have general-purpose mail server customers who just want to company with their existing onshore document retention policies without the risk of someone subpoenaing their mail server and then trying to recover the disk.

      I'm unclear about this. If they get a subpoena, it could be worded such that it's the mail they're interested in, not the physical storage device. In JWZ's account of the subpoena'ing of Really Bad Attitude [], they didn't seize any of Netscape's servers, they required Netscape employees to print the whole thing out. If a court orders the company to deliver copies of their email, and they refuse, they're in contempt of court which is an offence in and of itself. And if HavenCo assist them, while it may be perfectly legal under Sealand's judicial system (assuming you have a formal set of laws there), don't forget you are surrounded on all sides by the EU who aren't above applying their own laws outside their jurisdiction. Witness pressure from the EU and US on offshore tax havens.

      What if they take out an injunction against your upstream bandwidth provider(s)? What if they send Customs and Excise agents to raid you, as the UK has done to vessels at sea suspected of smuggling? (Backed by a Navy frigate and detachment of Marines, usually). What if you personally are arrested as soon as you enter an EU country?

      I'm not saying that it's impossible to provide such a service, but that it's becoming increasingly difficult.
      • Yes, this is definitely an interesting legal area which hopefully will have some precedents set in the next 10 years.

        The employees of a company would first receive a subpoena in the discovery process to turn over all relevant mail. If the employees refuse to comply, they will be found in contempt and locked up indefinitely.

        However, they can only comply if they are technically capable of complying. It is not contempt to say "that document was shredded a year ago in accordance with our published retention policy", if the document was actually shredded. If recovering mail is blocked by a systems administrator located outside the jurisdiction at hand, then it would be technically impossible for users to recover the mail, and then they would be ok.

        It would not be acceptable for someone who receives a subpoena to delete his own key locally and thus lose access; that would be considered a willful obstruction of the legal process. But it is perfectly acceptable for an overseas party not named on the subpoena (or not served) to take arbitrary actions, and it's acceptable for a company to contract with an offshore agent to undertake security monitoring of a site and lock off access in the event of any suspicious activity.

        (I would be amused if these slashdot postings themselves ended up in testimony when we finally have a test case on the email servers)
        • If recovering mail is blocked by a systems administrator located outside the jurisdiction at hand, then it would be technically impossible for users to recover the mail, and then they would be ok.

          How would you deal with the case that you mentioned, if you detect suspicious activity, call up the customer and ask if they really meant to be downloading their entire archive? They would have no choice but to say yes, they really did want to. If they did say no, they're busted.

          And signing a contract that stated that you would be blocked from accessing your own email if a subpoena was served puts the customer on uncertain legal ground. Basically, I'm saying that the court would find contempt at the very minimum.
    • Oh, all the email's on an offshore server outside the court's jurisdiction?

      That's fine. The court has the CEO locked up for contempt until the contents of that offshore mail server are delivered for discovery. Or the judge signs an order allowing hired stormtroopers to take every PC in the company for forensic analysis. Problem solved. Or am I missing something here? I imagine judges look dimly upon such blatant attempts to conceal evidence to protect against what you're calling "legal attacks" and that they call "justice."

      • It is certainly within a judge's powers to approve a discovery motion bringing in all PCs in a company to scan for files, but if the company has a policy (regardless of what it is), and then convinces the judge that it follows that policy, the judge will then only approve discovery motions which are likely to produce decent results based on the interpretation of that policy (weighed against business costs in complying with that motion).

        If an offshore party refused to assist the subpoenaed party in taking an action, the onshore party would NOT be in contempt of court, provided he could not take the action alone anyway, and provided he had not instructed the offshore party to destroy documents or whatever after the subpoena was received (but rather, the offshore party continued to operate under a pre-existing contract presented to the court), the CEO would not be in jail.

        (Certainly this was true some time ago. The RIP Act in the UK may complicate things for those in the UK, and there might be civil lawsuits against the company for contracting with a non-cooperative offshore party in the first place, but this is far less than the original case)

        As for liability on the part of HavenCo for continuing to respect a lawful contract even once our counterparty has legal difficulty in another country -- perhaps. As far as I can tell there is not a lot of precedent here. The Sealand Government would presumably receive legal requests from overseas governments; it would be a violation of Sealand Law to comply with them. The analogy is offshore trusts, where if a doctor for instance is sued for malpractice in the US, the offshore trust will not turn over assets, which has been tested repeatedly. The US specifically has engaged in "trust busting" with respect to fraudulent forms of trusts used for tax evasion, but the general concept of trust is respected greatly in most other common law countries, and aside from tax issues and criminal investigations, in the US as well.
    • This is something I've never understood about the Havenco sales pitch. I realize you are the CFO, and not the general counsel, but are you really telling US companies that if they keep information off-shore, they are not required to turn over that information if it is subpoenaed?

      So long as a company has either (a) assets in the US that can be seized and sold or (b) people in the US who can be locked up for contempt citations, it does not matter where the data is so long as the US company controls it.

      If a grand jury or a party to a civil suit subpoenas a company's mail server's harddrive and the company is unable to get a judge to throw out the subpoena, saying that the hard drive is not in this country is not an excuse. The company must turn it over or risk sanctions including just being handed a loss in the lawsuit.

      The offshore agent not releasing files without certification that the request is not due to legal duress is a nice move, but one that isn't 100$ effective. People who have tried to hide assets in off-shore trusts with similar provisions have found out the hard way that if the government is determined enough, it can make it worth your while to bring the assets back to this country.
      • The analogy with trusts is a good one; basically, the onshore party is *unable*, not *unwilling* to comply with the request, having ceded authority to an outside party. When you enter into a trust you no longer have ownership or control of the assets, which is why they are legally distinct from your own in the case of subsequent legal action.

        The US's trust-busting is primarily focused on tax and criminal investigations, and requires the cooperation of the offshore jurisdictions in which the trusts are domiciled. Sealand Law would make it illegal for the Sealand Government or HavenCo to comply with any requests for the data.
    • Aha. So if your client is being investigated and they tell you not to allow the "transaction" [transfer] to continue, you won't. In which case they'll face criminal charges for willful obstruction. Not much help to them and not really a valid option to the legal automatic deletion of emails.
      • the legal automatic deletion of emails... after a set time period.
      • There are procedures which have withstood legal challenges for offshore trusts and their records which we follow with the systems administration of the mail servers.

        The overarching principle is that the party having received the subpoena is not capable of taking the action, and does not contribute to the action being prevented.
    • Off shore ? (Score:3, Interesting)

      by Martin S. ( 98249 )
      This post is completely miss-leading, even assuming 'HavenCo' have a legit claim to be off-shore.

      Placing/using an email Server 'off-shore' offers not more protection than refusing to hand over the messages in the first place, you will be in contempt of court and go to jail until you agree to turn them over. FACT!

      Causing the destruction of evidence is a crime, in most countries, even if it is carried out by an agent. So in most cases, all 'HavenCo' will achieve is to further incriminate.

      BTW: How does a mindless commercial plug warrent +5 Interesting ?
      • Ok, refusing to hand over the messages can be contempt of court....

        .. BUT, this assumes that the mail is known to exist.

        What if I deleted everything which I didn't want seen, then supplied the rest.

        How would you know if I handed over everything or not?

        If you can't see any advantages, you're not thinking evil enough - you'd never make a CEO of Enron!

    • Let me get this straight:

      I am the CEO of a UK-based company. I send documents to you, with the instructions "Give me access to these documents on demand, unless you think I'm being subpoenaed". Then, when the subpoena comes, I'm supposed to tell the court "I can't give you those documents; I'm paying HavenCo not to give them to me"?!

      I effectively made a contract with you designed to obstruct justice. They'll just lock me up for contempt until you hand them over. In that case, are you still planning to keep them locked up forever while your customer rots in jail?

      You must have gotten Prince Roy pretty wasted before he signed the contract to allow you to do business in Sealand. He must be regretting jumping on the Internet bandwagon about now. This behaviour will eventually prompt Britain or the EU to take action and dissolve Sealand, and you won't care because it's not your little-recognized sovereign nation you destroyed with your shady business practices.

    • Legally, offshore servers are of limited value. If you are subject to jurisdiction in the US and a court orders you to cough up the email, you must cough it up. It does not matter where you store it, especially if you have electronic access to those servers in the US.

      I represented an American investment bank that was stiffed on a deal with a foreign company. The fact that many of the relevant documents were scattered throughout Asian offices of various companies made little difference in our ability to force our opposition to produce many boxes of documents, including email stored on off-shore servers.

      I'm not sure why you would try to detect if your customers are being subpoenaed. Why would you disallow your own customers to download their own documents? If you think you're helping them by refusing to allow them to comply with a subpoena, you're mistaken. Companies that intentionally put themselves in the position of losing control of their own documents to avoid legal process will not be treated kindly by courts. I can think of little better news than opposing counsel coming to me with a sob story about how his client's agent refuses to turn over the documents. In the case of third-party subpoenas, such tactics would quickly result in mounting sanctions.

      I can see reasons for getting documents offshore. From a legal perspective, though, this does not do much good. I hope your service wins a lot of customers. I can't wait to litigate against somebody dumb enough to hide his documents in this manner.

    • One of the features I'm working on now is some basic intelligence to detect out-of-character behavior by a mail server client -- such as attempting to download all messages, which would indicate they've been subpoenaed. If that happens, then we would attempt to contact the customer and get positive confirmation that they are *not* being investigated before allowing the transaction to continue. It's a trade-off between allowing normal function and protecting against legal attacks.

      Why not give them two passwords. One for "normal" use, and one that automatically flags your alarm system. They can ostensibly be "complying" with the court order while at the same time having your system automagically alter or destroy all the "good stuff".
    • I hope you don't have an Al Qaeda mail server.

      Because if they "win", you can be sure that SeaLand won't be allowed under Sharia.
  • by RobertTaylor ( 444958 ) <roberttaylor1234@g m a> on Wednesday March 13, 2002 @08:28AM (#3155699) Homepage Journal
    Some estimates suggest that once it is all added up, American's send some 1.5 billion messages a day.

    1.4 Billion SirCam "I send you this file for advice". Probably.
  • by tom_newton ( 179430 ) on Wednesday March 13, 2002 @08:32AM (#3155708) Homepage
    Simply include some extremely useful or important information in every email you send, and voila, you will find that it disappears every time, resisting even the most sophisticated attempts at retrieval :)

    NB. This method works best if this is also the only copy of said information.
  • by Anonymous Coward on Wednesday March 13, 2002 @08:33AM (#3155712)
    So what is the lesson here? If you are planning on committing fraud, illegally maintaining a monopoly, or postponing a defective product recall to maximize profit, you should first make sure you have a document 'retention' policy? And then everything will be OK? What is wrong with this picture?

    What about a story on the benefits of keeping old emails? I'm tired of hearing about the costs.

    Fucking lawyers. Oh, my mistake. It isn't the lawyers, it is the legislators. Fucking legislators. Oh, my mistake. It isn't the legislators, it's the voters. Fucking voters. There, that's better.

  • HERF gun (Score:2, Funny)

    by Lord Puppet ( 300347 )
    When there's a lot of email, and your in a REAL hurry...
  • Lotus Notes (Score:2, Insightful)

    by marcushnk ( 90744 )
    Is the only enterprise (and home use) e-mail client worth using if you handle that many e-mails.
    And as to it comming back to bite you... Don't do anything bad.. Be open honest and totally transparent in all your business dealings.. then nothing can come back and bite you.
  • by Ami Ganguli ( 921 ) on Wednesday March 13, 2002 @08:40AM (#3155734) Homepage

    I find it fascinating that people openly discuss ways of destroying evidence in case of possible legal action. Is this going to be a standard MBA course from now on: "How to cover your tracks" or "Case Studies: Failures in Shredding Policy from Watergate to Enron"?

    It makes you wonder why nobody looks at it from the opposite side. If you don't do anything illegal then your e-mail archive could prove valuable for your own defense. Trading companies, for example, keep all records of customer interaction, including phone calls, for use in the event of a dispute. You can never claim that your broker did something without authorisation because they archive everything.

    • by Scutter ( 18425 ) on Wednesday March 13, 2002 @08:51AM (#3155771) Journal
      "Legal" is an ambiguous term at best, the definition of which is determined in the courts, not the boardroom. The U.S. legal system is so convoluted, it's virtually impossible to get through the day without breaking some law. Even if you just stayed in bed all day, you'd probably be guilty of loitering.
    • I believe the problem is that, especially in highly competitive fields, one company can use the legal system to basically steal corporate secrets. Once you get the documents out of the company they become much easier to get a hold of. It comes down to the fact that the more people who see secret files the more chances there are for a leak. Of cource this is just my view, and I have trust issues so...
    • Although that is the cynical, (and usually valid, IMHO) interpretation, here's another one:

      It's not just about destroying evidence that could be used against you, maybe. I'm not in Records Management, but I bet complying with a subpoena is a lot easier when there's simply less email hanging around--if you have a good, enforced retention policy, you can honestly say "Here is what we have. We don't have anything older than n days, according to policy," and save thousands of dollars in staff time that would have been spent mounting old backup tapes and cruising employees hard disks trying to honestly comply with a court order.

    • Have you ever, um, looked at legal statues? Just law, mind you, not "case law", i.e. every case ever litigated.

      I have, in support of a project I work on. Just one narrow area of law, in one U.S. state. I tried to limit it to just the statutes, but I also had to look at some regulations and "policy", i.e. how the agencies involved chose to interpret the law.

      It's insane. Maybe, with an army of lawyers, you could sorta comply with everything. Except the parts that are contradictory, impossible, or just too vague.

      I doubt if anyone avoids "illegal" activity even in their personal lives, and it is actually impossible for business or even government, any complex entity. The problem with email and other electronic retrieval is that the normal wiggle room of life shrinks and shrinks. Aha, they did something illegal! This is done to make Joe Blow think the accused has done something actually immoral, when it could just be some absurd technicality, or just the sheer weight of things to comply with.

      By the way, big business, the bugaboo of /., doesn't really mind this situation much. Makes it so hard for some upstart competitor to emerge and compete.

    • Its not really that there is anything illegal going on. For instance destroying documents that are not the final copy is a very typical practice. If there are many versions of a document floating around (various pre-releases) it later becomes difficult to get everyone on the same page. I can only imagine during a legal investigation someone having a document that contained some mis-wordings, or a few typo's and that being chosen as evidence over the final document. It is very common (and a good practice) for people to get rid of extra stuff for the above reasons (read in less confusion).

      I am not advocating the destruction of documents to hide things, however for the general case, once a new revision of some document is out, everyone needs to trash their local copy. Formal document control programs are great for handling these kinds of things and helping to enforce protocols like this. Not to say a user can work around them, just any little bit helps.
      I am sure this will turn out to be an intresting legal discussion for some time to come.
  • Back when I worked at a .com years ago it seemed the exchange server crashed so much we could'nt keep our email longer then a few weeks if we did'nt back it up!!

    Then the CEO told us to auto delete mail older then 90 days... well the exchange server crashes took care of that too :)

  • So what? (Score:4, Insightful)

    by hcdejong ( 561314 ) <hobbes&xmsnet,nl> on Wednesday March 13, 2002 @08:43AM (#3155741)

    I'm having a hard time figuring out what his point is. He's saying "we need a policy for archiving e-mail" and then he talks about Enron, where any policy regarding e-mail would have resulted in evidence being destroyed. Is he saying we need to start pre-emptively destroying email in case there's something incriminating in it?

    "Digging up the dirt" isn't a new problem. Back when everything was done on paper, you could make copies and stash them somewhere, so shredding the original was never enough to ensure the document didn't exist anymore.

    And as for saying "e-mail will play a role in many other unfolding corporate stories", well, duh!

  • ... how hard it was for Bill Gates to keep all of those "leaked e-mails" from the public.
  • My company has an e-mail retention policy of 45 days. Every Monday morning you get a message in your inbox telling you how many massages have been deleted and that they are not recoverable. The funny thing is at least for me, all it dose it put them in my deleted mail folder. It dose not actually delete them.

    It's also annoying because I get a lot of informational mail that I "need" to keep. So it's either print them out or lose them. Well it would be if it worked right.

    • How does the company stop a technically knowledgeable user from circumventing the policy by keeping a personal, offsite archive (say, by printing the emails to a LaserWriter on FILE: on a Windows machine, then copying them to removable media or emailing the resulting .PS files to a drop), besides the threat of termination.

      Bonus points: if the hammer is threat of termination, how does the company catch the employee, save for pervasive, big brother type monitoring?

  • personally, i think one of the most interesting aspects of this topic, in addition to the lack of document retention regulations for email, is the lack of understanding on the part of many in power to make such regulations or implement such regulations.

    for example, my boss, God love him, has no idea how email works from the server end. frankly, we would-be administrators don't have the best understanding of it either.

    with this in mind, i think one of the most interesting things to see is how any document retention scheme would be implemented by many smallish and medium sized businesses. of course, i'm thinking that we may not have the appropriate skills or facilities to carry out a doc reten policy that the government might impose. the other possibility -- more likey in an Enron case, is that employees might purposefully botch such a policy.

  • by Anonymous Coward on Wednesday March 13, 2002 @08:45AM (#3155753)
    Top level MS officials no longer communicate with email.
    All communications happen in closed door sessions.
    Verbal communications are also discouraged.
    Most of these meetings are like a game of charades.
  • Netscape history (Score:5, Interesting)

    by the gnat ( 153162 ) on Wednesday March 13, 2002 @08:46AM (#3155758)
    Jamie Zawinski has a rather unpleasant story about this on his site: []

    A very good example of how essentially harmless email can be seriously misinterpreted.
  • just use a proprietary format (like Word's .doc) and store the emails on magnetic tape. 20 years later all is gone and what can be recoverd cannot be read. Some versions of what many people today think are html-documents also decay pretty fast, especially if they only display with a specific browser running on a specific OS. If this OS only runs on specific hardware, as soon as that hardware becomes unavailable the documents become unreadable.

    On a related note, I find people that put things in email they would not put on ordinary paper quite unaware of reality. Don't they know there are devices called "printers", that can put emails on paper? Don't they know that email obviously is "written text"? Except for being far more convenient, I assume that an email is a written document, that will be stored by whoever I send it to.

  • by pryan ( 169593 ) on Wednesday March 13, 2002 @08:52AM (#3155772) Homepage
    When I worked at a Fortune 500 company, I noticed that people use email for almost everything internally. Most of the stuff that large companies are liable for get thrown about in email when there are many other, often better communication methods. Unfortunately, there are a lot of middle-aged administrative assistants and managers that seem to think everything goes in email.

    The lesson? Don't use email to distribute that 10 MBib presentation. If you have a memo, then email everyone a link to it and set the web server to spit out a no-cache HTTP header with the page. If you have a file to share with some people, put it on a file server and give people the link via an email, but don't just attach the little bastard file, which probably isn't so little anyway.
  • by mir ( 106753 ) <> on Wednesday March 13, 2002 @08:52AM (#3155773) Homepage

    Emails can be forged so easily, how is their authenticity established?
    I guess any decent sysadmin in the world could show the court a whole bunch of threatening emails from the CEO of his company, what would a court do in such a case?

    • Email is incredibly useful as evidence. In much large litigation, perhaps half of the documents submitted as evidence are email.

      Courts aren't like the movies. In real litigation, the parties don't have many fights about whether a document is what it purports to be. They have fights on how to interpret the document, but not about whether it really came from the CEO or not.

      The reason for this is that email is largely self-authenticating. Most litigation involves at least one party that is a company. All but the smallest companies keep track of their email automatically. When the request for documents comes in, IT does a keyword search, dumps a bunch of emails to a CD-ROM and hands it to the lawyers. The lawyers filter the emails and hand over the relevant ones to the other side. The lawyers keep their clients reasonably honest.

      If a plaintiff comes up with an email that the other side doesn't have a record of sending, they'll have a battle over whether it is real. Both sides present evidence and the jury or the judge makes a decision as to whether it's an authentic document or not.

      In a company of any decent size, the person keeping track of emails and other documents is not important enough to have his or her ass on the line. If they are asked to forge or destroy documents, they'll either refuse or else they'll be extremely willing to talk about it. If there is ever a trial over Enron, we'll see a parade of paralegals, secretaries and mailroom clerks testifying about shredding documents until 3am every night. These things have a way of getting out.

      So: If a sysadmin forged a bunch of emails from the CEO, the court would either let the jury decide if the emails were real or, if it their authenticity were very clear, rule on the issue before trial. It would be up to the CEO and his attorney to show the court why these aren't real. If the sysadmin gets caught forging, he probably goes to jail for a little bit.
      • I was going to say that most of the email sent and received in my corporation is not digitally signed.

        I used to get laughs from coworkers by sending them messages with the name of the CEO in the From: field.

        I can see the legal battles of Bill Clinton continuing as his sexual misbehavior is further detailed by all those Usenet postings to the sites...

        However, it's a good point. I think in the future that important emails will get my digital signature, even if puzzled recipients don't know WTF GPG is.

  • ... this could be one use for USAs nuclear plans []. Just EMP everyone to get rid of any potential damaging emails :)
    • Shielding goes a long way to protecting against EMP. Your typical fire rated safe has a double metal layer case and a door that has metal rods that extend into the case on 2 or 4 sides of the opening. The attenuation of a pulse by the magnetic shunt is quite high providing a high degree of protection from EMP to the contents. Our military has lots of redundant stuff sealed in farady shielding containers to be deployed to replace online stuff damaged from a EMP attack. You can do the same thing at home. Take your spare computer and remove all external cords (cords act as antennas to pipe EMP into a box). Put it into a metal container with a metal lid with full RFI contacts all the way around the edge of the lid. The container shunts the EMP with counter EMF protecting the contents. That computer will be ready to put online after a nearby lightning strike takes out your old one.
  • I didn't see encryption mentioned anywhere to offset the persist nature of email. If all the mail is encrypted, at least you won't have to worry about copies of the message remaining on servers in between. Match that with a client that never caches the plaintext to disk, and autodeletes messages of a certain age, and I think you've got a winner.

    Of course, I'm sure some will say this is beside the point. Nothing stops employees from printing/saving email, especially if they WANT to incriminate the company. I don't think email makes this more of an issue than non-email incrimination does, however... just don't talk dirt in your email, duh?

  • Remember... electronic transactions are always going to haunt you.

    Don't say anything, anywhere, that you don't want repeated.

    Don't do anything, anywhere, that you don't want to be held up for.

    Be aware of your email.

    Oh, and use a decent email client/server solution. Use IMAP so that you only have one mail store. Delete old files.

    And beware... Big Brother IS already watching a LOT of people.
    • I disagree. Of course, with e-mail there are multiple copies, archives, records of it being sent, etc. Personally, however, you can make decisions to keep yourself safe: DO NOT BE STUPID.

      Besides, that, though, I delete my e-mail that's over 6 months old every month, and assume that if any info were that important it would've been copied.

      I would also argue that e-mail is not *more* dangerous. Who was to say that an employee didn't make a secret photocopy of a paper memo and sneak it out of HQ?

      Same old problem... same answers
  • Government email (Score:4, Informative)

    by Eric Damron ( 553630 ) on Wednesday March 13, 2002 @09:08AM (#3155811)
    The email for my State government is covered under the freedom of information act.

    What this means is that anyone can walk into any State agency and under this act require that the agency provide copies of it's email.

    There is a charge to cover costs and a waiting period to allow the information to be gathered.

    This can cause real problems for agencies that delete email without a policy covering the removal of this information. Basically, if the agency deletes email without such a policy they can be required to "recover" their email. If they don't have the expertise to do so they can be required to contract out to a company who does have the ability. This could cost them tens of thousands of dollars.

    Better to have a policy and to stay within the guidelines!
  • My company, BitDaemons Ltd, has just released the Technology Preview of a product which we believe solves many of the problems outlined in this article. It's based around ebXML and so eradicates spam and any non-business specific mail. We are developing the full product for release in Q3 2002. And its cross-platform, including Linux, aimed at the desktop. There are a huge amount of articles at the moment about problems with emails in business like this one - we think our product, Octimal, will solve them.
  • If you used to get things in snail mail in a plain brown wrapper, don't consider getting it via e-mail. It gets xeroxed and copies archived before it reaches your in-box. It's not a secret anymore for anyone who wants to know what you got last year. ;-)
  • As I was driving in to work, I heard a PSA from CPAs of America, or somesuch. Part of the announcement talked about deleting un-needed e-mail "to save on disk space."

    Now there's a ready-made excuse for Enron...
  • by RatFink100 ( 189508 ) on Wednesday March 13, 2002 @09:16AM (#3155835)
    I've read a few comments already implying this is all about companies covering their tracks after commiting fraud or other criminal acts. These comments rightly ask why should we be concerned about policies and technological solutions to aid this.

    However destroying evidence is only a small part of what this debate is about - it just makes for the flashiest headlines.

    The issue is about the way email is used - many people write emails with an informality similar to speech, forgetting that email often has a 'lifespan' equivalent to many physical documents. When you also consider that emails are being used as documentary evidence in legal cases this begins to be a cause for concern. Why? Because people don't always express themselves precisely and may give a misleading impression - especially if the email is taken in isolation.

    And it's not just the informality it's the 'working document' status of email. Let's say a particular business decision is the subject of scrutiny in a legal case, and let's say it was a decision reached after some discussion. If that discussion took place in a meeting then the documentary evidence would be the minutes - which would express the decision reached. If that discussion took place over email - would you be able to discern later that an email saying "We should do X" was expressing the final decision or merely a point of view in an on-going discussion? What if you had to prove than Y not X was the final decision?

    So the policies that need to be implemented are not necessarily about covering up wrong-doing, they are about making sure that documents (emails) which may be treated as written communcation, have the clarity and riguor that they need. If they are informal working documents then they may need to be either clearly marked or destroyed at an appropriate time.

    In my view the heart of any sensible policy should be education about how to write emails appropriately. The guideline I always use is "am I still happy to send this knowing that my customer/competitor/a.n.other could potentially see it one day?" If the answer is no then the email either needs re-writing or possibly a different form of communication is needed.
  • Not so simple (Score:2, Interesting)

    by Anonymous Coward
    There are a lot of comments here, mostly from people with no real world experience in large organizations, I suspect, saying, "well just don't do anything bad in e-mail and you're safe." How I wish it were that simple. The fact is that things get taken out of context, sometimes willfully by other people with a hostile agenda, or the rules determining what's good and bad change over time, and something that's perfectly innocent when you write it could turn into a major problem years down the road.

    Another aspect to this that seldom gets mentioned is the notion of one-sided archiving: Two people in negotiations have a dispute about how the e-mail-based conversations went, and only one can produce the prior e-mails (and often selectively at that, leaving out the ones that don't support his/her side of the argument).

    About the only solution is to be as careful as you can about what you put into e-mail (in all iffy situations make explicit references to all pertinent correspondence and other docs), and make sure you can retrieve everything from your past e-mail when needed.

  • Firstly, users ability to deal with an increasing volume of business email varies enormously.

    Some people are super efficient - their inbox is virtually always empty, anything they need to keep is moved more or less straight away to a permanent folder related to the subject, and anything they don't want to keep is deleted.

    If I look over my shoulder at some of my more senior (chronologically speaking) colleagues, their inboxes are a mess. They can't recall email on a particular topic, they don't process incoming email into sensible subjects, they just let it pile up. Then I hear them complaining that they get too much email.

    Secondly (and perhaps more ontopic) is the matter of physical document retention.

    Many companies simply retain everything, and the cost of storing these documents mounts up and mounts up. People have the attitude that "we might need it some day". Yes, you might.

    But you might not.

    Cost of storage of every document ad infinitum = $x.

    Cost of impact of not having a document at some arbitrary time in the future = $y.

    If $y is less than $x then why are you keeping every document by default?

    Or don't you know what x and y are?

    I think.
  • by catfood ( 40112 ) on Wednesday March 13, 2002 @09:27AM (#3155861) Homepage

    I'm a little surprised the article didn't mention the greatest email bust of all. In 1987, the questionable para-military funding activities of USMC"Lt.Col.OliverNorth were uncovered partly by an investigation of messages that he thought he'd deleted from the White House's internal email system.

    North hadn't counted on the "deleted" messages showing on backup tapes.

    Partly because of this smoking-gun evidence, North was convicted in 1989 [] of aiding in the obstruction of Congress, accepting illegal gratuities, and destroying documents.

    North's conviction was later overturned (with great irony considering his status as a law-and-order conservative icon) on a legal technicality.

  • Our company is considering a mandatory policy that states that no email is to be kept beyond 90 days. This policy is based on the very premise in the article: it can come back and bite you later.

    Can't say I agree with the policy entirely, but I'm just a worker bee.
  • On the specified page

    Tech News Poll
    Should websites stop running online polls
    because they are unscientific?
    [] Yes
    [] No
    [] Don't Care

    No CowBoyNeal option, but funny question !
  • This might be a factor: the other day I got a call from a gal with Lotus/IBM asking if I think a per user/per month external email would be marketable. This is the second time I've heard of a company starting to offer such a product, the first being Cisco. Since then I've come across a few [] companies marketing to the same tune.

    Along the same idea as Microsoft's software subscriptions, this could be the email model of the future. Now we throw in the factor that companies may not even be in control of where/how their documents are being destroyed? Assuming, of course, that it is possible to destroy all evidence of an email. (Due to the nature this could be quite difficult)

    I know that even with on-site, 100% controlled email it has proven difficult to find a good way to enforce a document retention policy. Users (and I'm no different) have tendency to want to horde their past emails, text index them, and search them from time to time, as you never know just what pieces of the past, from two weeks to two years, might prove useful. You can restrict the size of a user's mail-file size, but this only restricts how much the save and not how far back they can save. As of right now, mail servers don't seem to take into account an enforced document retention policy. Will a "Delete Documents Older Than:" field appear as an option on newer versions of Exchange or Domino?
  • Plead the 5th (Score:5, Interesting)

    by pryan ( 169593 ) on Wednesday March 13, 2002 @09:39AM (#3155909) Homepage

    A corporation [] is a legal construct designed to give a business the same rights as a person, right? If so, in the face of a subpoena duces tecum [], why can't a corporation plead the fifth amendment []? I assume there's a clear legal answer, but IANAL.

    Amendment V

    No person shall be held to answer for a capital, or otherwise infamous crime, unless on a presentment or indictment of a grand jury, except in cases arising in the land or naval forces, or in the militia, when in actual service in time of war or public danger; nor shall any person be subject for the same offense to be twice put in jeopardy of life or limb; nor shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law; nor shall private property be taken for public use, without just compensation.

  • Hell, I can't keep the e-mail! I'm trying to retain documents! Repair teh database - there went attachements since June! Use the IS/DS Consistency aAdjuster - whoops - restore a backup - Oh, that one
    s no good, go find one that works. ""Sorry everyone, the e-mail server's been rolled-back to last Wed night at 6:00 PM. Sorry for the trouble.""

    I can't believe MS got in trouble for having e-mail retained too long, they must be using AS/400's or *nix + Domino for e-mail.

  • The biggest question I have about this is how can they prove that the person whose name is on the From: actually sent the e-mail?

    We all know just how insecure e-mail really is and how easy it is to forge an e-mail, so how can these e-mails stand up as evidence. I can see some justification in if the headers show the e-mail coming from that person's workstation's IP connecting to ${CORPORATE_MAIL_SERVER}, but even this is not 100% proof that it came from ${PERSON}.

  • I can see a feature in the next version of Exchange where the admin can select an email and have it deleted from all mailboxes that it resides in. With Single Instance Storage it's not that big of a deal. The problem comes when people archive email to personal folders. I can see "solutions" from Veritas and some other companies for smart email archival software.
  • All this destruction of e-mail for liability reasons thwarts mining e-mail for the purposes of knowledge management, such as can be done by products like Lotus Knowledge Discovery System []. With today's high turnover rates, KM is needed to maintain long-term productivity, but evidently legal issues are dwarfing anything like actually earning money by being productive. (Hmm, has a ring of revenue generation by old large companies through patent portfolios rather than innovation, doesn't it?)
  • Why are people worried about email retention? Do they say things that aren't true at the time? Why should people be allowed/encouraged to distroy evidence?

    "Things will be misconstrued" is a cop-out. How do you misconstrue a direct warning that the recipient is too pre-occupied to do anything about? If there is an explanation, give it. I don't think juries are that stupid. If they are, then we're in alot more trouble and need to work more at educating them, or at least not putting them to sleep in court.

    Sure, anything can be taken the wrong way. But the solution isn't to give nothing, but rather to assist people in seeing the right way. Unless there isn't one! In which case, you're guilty, and I don't see why anyone should help you hide your guilt.

    • Easy.

      Redhat (or insert your favorite company here) sales person sends an email to all sales people as follows:

      "Do whatever it takes to bring in those customers."

      5 years later, unhappy former employee or disgruntled competitor sues the company. All email is subpoened. FavCompany hasn't done anything wrong but the email from sales manager to sales staff is used as "proof/smoking gun" that the company was engaging in anti-competitive business practices.

      People can and WILL interpret something in thier favor. I can tell another coworker that I think a particular employee is very fetching in that new dress and the next thing you know, I can be sued for sexual harrasment by someone who overheard the conversation. This isn't from personal experience mind you but it makes the point clear.

      You shouldn't need encryption, right? You don't have anything to hide!

      These companies don't need to delete email, right? They don't have anything to hide!
      • I thought about this before posting. The problem is not with what was said, but how it's interpreted. Of course some people will read it in their favor. That's called bias, and they're excluded from Juries.

        In your example, this smoking gun doesn't prove a thing _unless_ there was some anti-competitive activity that resulted. If FavCo had a corporate values statement saything they would obey all laws and act ethically [any company large enough to sue would], then that would be a strong defense. But it would ultimately boil down to what people say that the alleged smoking gun meant to them.

        If you don't presuppose some level of reasonableness in juries, then you're living under an oppression much more serious than the government can even impose. The prior-restraint and self-censorship is intolerable. Don't live in fear. Sometimes not even if the fears are real!

  • by eer ( 526805 )
    Back in the days when I first began using email on UNIX, I realized that

    1) far too many people had root access to the email servers;
    2) far too many people could put sniffers/tcpdump on the ethernet; and
    3) far too much mail transited through university campuses (Rutgers Univ comes to mind)

    We came to realize, and to advise our management, that email was public speech.

    Anything you said was subject to being overheard and repeated. That applies to recipients who forward mail, too.

    The same eventually was realized about voice mail.

    Encryption (usually) doesn't control recipients storing and forwarding your messages.
  • at my work, a major corporation, it is nearly impossible to KEEP a bloody email for more than 90 days. We use exchange (yes I know) and the system will purge anything in a .pst folder format older than 90 days. It patrols your offline archives, it will even find a .pst or archive folder that has its' filetype changed. The only successful way I have found it to back it up on physical media and restore to an offline computer. If you put it back on a connected computer the damn thing will find it and purge it overnight. Only certain users with legal requirements are able to exceed this bloody purge.

"If it's not loud, it doesn't work!" -- Blank Reg, from "Max Headroom"