Be Advised: Your E-mail Is Not As Private As It May Seem

IDENTITY CRISIS: PCPS's John Porter investigated a case of inadvertent E-mail forgery that embarrassed everyone involved. John R. Porter, an associate professor of biology at the Philadelphia College of Pharmacy and Science (PCPS), likes to tell two stories that illustrate some of E-mail's advantages and disadvantages. Porter exploits the advantages in teaching an undergraduate cell biology course. One of his assignments calls for the students to read some recent articles in an area of c

Dec 8, 1997
Robert Finn

IDENTITY CRISIS: PCPS's John Porter investigated a case of inadvertent E-mail forgery that embarrassed everyone involved.
John R. Porter, an associate professor of biology at the Philadelphia College of Pharmacy and Science (PCPS), likes to tell two stories that illustrate some of E-mail's advantages and disadvantages.

Porter exploits the advantages in teaching an undergraduate cell biology course. One of his assignments calls for the students to read some recent articles in an area of cell biology and then to elicit more current information by contacting the authors via E-mail. "Usually if they ask the questions well . . . and show some real enthusiasm and some real interest, they get some very excellent answers."

But Porter had firsthand experience of one of the dark sides of E-mail when he was asked to investigate a possible violation of the PCPS "Policy for the Responsible Use of Computing Resources," which he coauthored. It seems that Person A sent E-mail to Person B requesting some sexually explicit information. Person B replied with an E-mail containing that information. However, the original message unintentionally had been tagged with the return address and signature of Person C, so Person B's reply went to Person C instead of to Person A. Although Porter determined that no policies were violated, everyone involved was highly embarrassed.

INDELIBLE IMPRESSION: Attorney Michael Overly explains that E-mail can be more permanent than a paper communication.
This story illustrates the ease with which E-mail-intentionally or not-may be forged. In most E-mail programs it's a simple matter to change the contents of the "From" field, notes Michael R. Overly, an attorney specializing in Internet law who works at the Los Angeles office of the Milwaukee-based law firm Foley & Lardner. In the PCPS case, Person A sent the E-mail from a computer that previously had been used to demonstrate some capabilities of the E-mail system, and someone had entered-and forgot to clear-Person C's return address information from the system.

"One of the things we generally put into a corporate E-mail policy is that employees may not under any circumstances alter the 'From' field in their E-mail or try to spoof an E-mail message," explains Overly, who has written many such policies. Such alterations "will almost assuredly be traceable by a computer forensic expert," he points out.

But the possibility of forged or misdirected mail is a relatively minor problem. Far more serious legal problems can result from the failure to recognize the counterintuitive permanence of E-mail, notes Overly. Surprisingly, E-mail communications are far more permanent than paper communications, and this can have serious consequences. "If you have a litigation where someone asks for all of your E-mail, or you have a Freedom of Information Act request, which a government worker or someone at a [public] university might be subject to, there will be a way for them to track down a lot of this E-mail."

There are three reasons for E-mail's permanence. First, while most organizations have a document-retention policy that calls for the routine destruction of old paper documents after a specified time, these policies have rarely been extended to electronic documents. "We put aside a monthly backup tape, and we have for years," acknowledges Stan MacDonald, manager of information systems for Cytogen Corp. in Princeton, N.J. "I've got a cabinet full of them."

The second cause of E-mail's permanence is that even when a single message is transmitted between a sender and a recipient, many copies of that message are created. "If you send a [paper] letter to someone, that's pretty well defined. You know where it's going, and you know how many copies [you made]," explains Overly. "When you send a piece of E-mail, there'll be a copy on the sender's computer, on their network, and probably on a network backup tape. If it's transmitted through an online service provider like Prodigy, CompuServe, or America Online, there'll be a copy on their servers and backup tapes, on intervening computers if it's transmitted across the Internet, and then the same thing on the receiving end, on their server's backup tapes, and on the receiver's computer.

"Even if you're successful in deleting the E-mail everywhere," continues Overly, "as almost anyone that has any computer knowledge knows, electronic documents can be undeleted for a fairly substantial time." That's the third cause of E-mail permanence.

NOTHING PERSONAL: Internet security specialist Simson Garfinkel cautions that private E-mail messages should not be sent from work.
E-mail is not only far more permanent than most users suppose but also far less private. There are several ways in which third parties can read ostensibly private E-mail. First of all, the administrator of an institution's computer system has the ability-and apparently the legal right-to read users' E-mail. The Electronic Communications Privacy Act, passed by Congress in 1986, clearly gives employers the right to read their employees' E-mail, according to Simson Garfinkel, a Martha's Vineyard, Mass.-based science writer who studies Internet security.

"If you want to have private, personal electronic mail," Garfinkel states flatly, "you shouldn't be doing it at work."

The situation in academia is somewhat different from that in industry, since academic-freedom concerns make it less likely that the administration will seek to read an individual's E-mail, explains Porter. "In essence [the PCPS policy] says that one's E-mail is private, but it should not be considered so. In cases where there is some obvious wrongdoing, the college maintains the right on college-owned equipment and on the college-owned network to read logs of somebody's transactions."

But even in industry it would be rare for management to read employee E-mail routinely. And when it is read, it's usually done in restricted circumstances. "You don't want to have a free-for-all where everyone is spying on everyone " explains Overly. "You want to have a designated person-typically an MIS [manager of information services] person-who might examine E-mail randomly, might examine E-mail pursuant to some complaint by another employee, but under fairly defined circumstances, because you don't want it to turn into some sort of voyeuristic activity."

Another way that private E-mail can be read is pursuant to a court order. "The question employees should be asking themselves is, 'Would I want to have a judge or a jury seeing this message that I'm typing right now?'" Overly points out. "If you don't, don't type it, because almost always they'll be able to be discovered during litigation even if you think you've deleted it."

In some cases, a member of the general public can demand to see a researcher's private E-mail. "One thing that government employees need to be aware of in particular is that any E-mail they send on the job may be subject to a Freedom of Information Act request," Overly says. Additionally, he points out that some states have their own versions of the federal Freedom of Information Act that may affect employees of public universities.

Another danger of E-mail is that it's extremely easy for any recipient to disseminate a message widely. "If someone sends me a piece of E-mail that has proprietary trade secrets or confidential information, I can post that on the Internet in seconds, and hundreds of thousands of people have access to it," Overly explains. "Or I could take [that] information and send it to 10,000 people with my E-mail account for no additional charge. In the hard-copy world . . . you'd have to go down to your corner copy store and run off a thousand copies of a document and then send them around. There's some cost associated with that, and some trouble."

BROADCAST NEWS: Cornell's Marjorie Hodges cites an example of how an E-mail message made headlines.
According to Marjorie W. Hodges, director of the computer policy law program at Cornell University, the ease of forwarding E-mail has led her to develop a rule of thumb: "You shouldn't send anything via E-mail that you wouldn't want posted on the front page of the New York Times."

She means this quite literally. "Two years ago," she recalls, "four students sent a handful of their friends a message entitled '75 reasons women (bitches) ought not to have the right to freedom of expression.' It made national news. It made international news. It was on the front page of the New York Times, the London Times covered it, the [Los Angeles] Times covered it; we were receiving faxes from Switzerland about it."

Cornell University's policy is available at Researchers who are concerned with E-mail privacy may choose to encrypt their mail. There are several excellent public-key encryption programs available, and for all practical purposes the codes in these programs are unbreakable. But Garfinkel cautions that encryption carries its own dangers.

"Encryption encourages people to be careless," he maintains, "to create records that are damaging, to be very lax. And in many cases it's better not to create those records in the first place if you're really concerned about security."

Additionally, Garfinkel points out, someone intent on reading an E-mail message can find ways to do so, even if it has been encrypted. "If you want to read somebody's E-mail, you break into the computer in which the E-mail is located. [Cryptography] won't protect you against that ultimately, because you have to decrypt your mail in order to read it."

And Overly points out that in a corporate environment the use of encryption for private messages may well constitute grounds for termination. For example, an employee could be using the cover of encryption to run a clandestine business from within the company, store pornography downloaded from the Internet, or conduct illegal activity.

Given all the uncertainty about E-mail privacy, is additional legislation needed? "One of the problems with the current state of the law regarding E-mail is that there isn't one," explains Overly. "There are very few cases that address privacy in the work context as far as E-mail is concerned." Overly strongly advocates that individual institutions develop an explicit policy about E-mail and that they ensure that every employee understands the policy.

Hodges also is convinced that explicit policies are the way to go. She helped develop Cornell's policy, which she hopes other universities will use as a model.

But not every organization is convinced that it needs an explicit policy. "I hope I'm not being deluded, but it doesn't seem to be [a problem] so far," maintains Cytogen's MacDonald. "We haven't had any reports, and I haven't had any complaints, about E-mail violations. No one has distributed objectionable materials, no one had done so under anybody's name, so-so far-maybe we've just been lucky. Most of these policies work well with people who have good intentions, and not too well against people who have evil intentions."

And even Overly seems unsure about the legal standing of such policies. "Given the fact that . . . there are very few court cases that have addressed these issues, the efficacy of any E-mail policy is in doubt. The best you can do with an E-mail policy is to try to educate the employees about what is appropriate and inappropriate, and to get expectations in line."

Robert Finn, a freelance science writer based in Long Beach, Calif., can be reached online at