Bill Ryan's Other Blog

It amazes me that there are people who use email regularly but still don’t understand this.  If I send you an email, say from my work account to your work account and I have ‘private’, ‘sensitive’ or whatever information in it, I’m a complete moron if I want to demand it stay private. If anything, complete moron isn’t strong enough of a phrase.

Because I want to stay out of the fray, I’ll leave the parties out of it (if you follow tech news at all, you’ll know who the parties are).  A blogger posted some footage of a media person on his blog.  The purpose of his post was specifically to rebut some accusations that the media person made about him.  Stated another way, had the media person not made some nasty accusations about this person, he wouldn’t have felt the need to defend himself and his response would never have happened.  Anyway, his post along with the video made the media person look like a complete and utter liar/phony/jackass/fool.  Not surprisingly, the media crybaby got butthurt and threw out the war cry of the impotent “You’ll be hearing from my attorney!” via email.  In the bottom of the email he had the standard boilerplate idiocy commonly known as an Email Disclaimer.  It said the typical stuff, you can’t use this without my permission, if you’re the unintended recipient you’re not allowed to look at it, blah blah blah.  My friend and super lawyer Chris insists that this is necessary to establish the communication as valid if you want to assert attorney/client privilege.  But even a diehard like him is acknowledging that this is a pretty weak claim. He’s been reduced to acknowledging that it at least lets him make the case which is better than nothing. Fine, but most of these pieces of stupidity don’t come from attorneys emailing their clients.  In this case, neither party was an attorney.  The text did say that the receiver wasn’t allowed to publish the contents without the author’s permission.  The blogger however, had a firm statement that he’d publish any email that was sent to him regarding the blog if he felt like it. And he made clear that any threats, legal or otherwise, would absolutely positively be published.

So he published it.  Now, the media person who already looked like a complete jackass looked like a much bigger jackass.  He got even more butthurt and threatened to call his attorney even more, or faster, or maybe a better attorney –hell I don’t know but he made an even bigger “You’ll be hearing from my attorney” threat.

The blogger laughed and published that email too.  That infuriated said douchebag even more.  He started ranting and raving that the blogger was invading his privacy. By posting his private email, he broke the law and subjected him (media douchebag) to all sorts of harassment.  As is ALWAYS the case with crybabies of this sort, the “my life is in danger” claim was made.

I’m not lawyer and I don’t play one on TV. But I’ve been down this road before.  For I too maintain a “If you send me an email and I don’t like it, I’m posting it on my blog and anywhere else I damn well feel like posting it” policy. I’ve been threatened a few times about emails I’ve published, in all but one case the people (or a friend of theirs) came back, apologized and begged me to take it down – which I did. 

Here’s a few pertinent points – keep in mind that many aspects of internet law are still in their infancy. Others, like email, are fairly well established.  The points I make are ones I’ve made many times before and will continue to in the future, just b/c hearing ignorant statements is so frustrating.  I’ve provided several links for substantiation and further reading but I didn’t include all the legal research behind it (pretty much everything below is information I’ve obtained from legal counsel over the years.  Well, everything that discusses law) If you would like substantiation or want to argue the finer points here, feel free to email me and I’ll be glad to discuss it further.  I’m not the only person to feel this is a noteworthy issue and countless people have written on it. Many think this is a legal gray area. Hardly.  I encourage you to read an account that’s completely independent of my own – you’ll find the similarities are so strong they are virtually identical accounts:

1. Something doesn’t carry legal weight just b/c you say so. You can say “it’s an invasion of privacy” all year long, it doesn’t make it so.
2. Unless you’ve spoken with an attorney FAMILIAR with the matter at hand, you’re very likely to be wrong about any given legal claim you make.
3. Even if an attorney familiar with that area of law and the particulars of the case says you’re right, that doesn’t make it so either. If it did, judges wouldn’t have much to do.
4. The “Right to Privacy” isn’t something in the Constitution like Freedom of the Press.  It’s a creation from interpretation (which is still every bit as valid as anything else). Nonetheless, a Right to Privacy doesn’t mean what most people thinks it means.
5. A big part of invasion of privacy cases revolve around a reasonable expectation of privacy. You’re free to claim you had a high expectation of privacy when you sent out an email all you want, there’s no there there.  If the recipient agreed beforehand that he/she would keep the contents private, you have a much stronger case.  But simply demanding that they do so means just about nothing. If it did, I could demand that by receiving my email, you owe me $10,000,000,000.00  You’d laugh in my face if I made such a demand, but that demand is no more ridiculous from a legal perspective than anything else we’ve discussed so far is.
6. Encrypting an email is another action that can raise the expectation of privacy (b/c you’re taking steps to ensure that only you and the recipient are privy to the email.  But even that isn’t as legally compelling as some would have you believe.)
7. Plaintext emails are fair game.  That’s because from the time you send it to the time I get it, neither of us could know how many people could see it.  We could do an after the fact analysis and narrow down that number, but that still wouldn’t let you know with much precision.  If 20 different people have access to the contents of the email, any expectation of privacy goes out of the window.
8. Pleading ignorance doesn’t change the law or culpability.
9. Emails from public email hosts (AOL, Hotmail, Gmail etc) carry a little more weight than corporate ones, but they are still pretty much fair game if you send an email from one. Think about this for a second. If you’ve ever used Gmail, when you read a message, tailored ads appear around it. That’s what supports the ‘free’ service. A computer is doing all the analysis and suggesting but in a fraction of a second, your email is scanned, analyzed and targeted ads are posted.  That proves how easy it is to scan messages.  But do you really think all that information just goes bye bye?  I’m not making any paranoid accusations here, you give up a little privacy in exchange for the service and google has a vested interest in keeping things secure.  But anything that easy to scan will not just sit idle.
10. Sending email from or to a corporate email account completely wipes out any privacy claims you might have.  The courts have repeatedly held that companies have every right in the world to monitor employee email.  Most companies do have some form or another of email monitoring.  Among those that don’t most have the capability of monitoring it if they needed to.  Additionally, almost all companies of any size backup their mail servers so your private emails are probably sitting around on countless backup tapes where all sorts of people can see them.
11. If you send anything private from your corporate email account, or to someone else’s corporate email account, it’s almost a certainty that someone in the IT department at either company has either read it, or at least could read it if they wanted to.
12. If you doubt anything I’ve said in the past few items, ask your company or agency HR Director to see the Acceptable Use Policy for Internet and/or Electronic correspondence.  Virtually every company of any size has an acceptable use policy (and every government agency does) which discusses what you are and aren’t allowed to do with your email account.  Most strictly prohibit personal correspondence being transmitted through their email servers. Most also have a de minimus provision of some sort.  These basically say that while sending personal stuff is a violation, if you do it once in a blue moon, it’s ok as long as it complies with other aspects of the policy
13.  Principals are responsible for the actions of their agents.  This is one of the primary legal tenets that allow companies and govt agencies to monitor email and internet use.  Since a company is responsible for anything sent out by its employees, it has a vested interest in being able to know everything that’s sent out.
14. If you send email from a corporate/govt agency email account, you are necessarily representing yourself as an agent. (I can’t find the link for this at the moment
15.  S*** happens.  All the time.  I could fill terabytes of examples of this.  Some is malicious, some isn’t.  Some of the worst ones are just accidents.  When you have humans in the equation, you have mistakes.  So even if you do everything by the book, a simple mistake could lead to data loss of your emails.

These are all relevant to the case at hand b/c they all come into play in one form or another.  One of the biggest points though is that the media douchebag in question sent out his threats to the blogger from his work account.   While the media clip that in question was one made while in the employ of the company who’s email he was using, the company wasn’t the one complaining.  Again, he had made several derogatory comments about the blogger and had made several accusations against him. In those allegations, he claimed the blogger was being dishonest and was making libelous accusations.  The old , Truth in an absolute defense thing came into play, and the blogger decided to answer the ridiculous accusations by Proving they were false.

When the media guy sent out the email, he brainlessly included what looked like an autosig at the bottom (right above the big scary legal disclaimer) of the email that included several pieces of personal information (but he included a VCard that had several pieces of very personal info about the guy’s family). The blogger, mentioned that he had all of this but didn’t publish any of it – the only thing he published was the contents of the email – verbatim (which included the email headers.)  His stated reason was that he didn’t want accused of distorting the context or printing anything false.  The media guy said this was a bogus claim, for he could have redacted all of the identifying information and still kept the integrity of the message intact – hence, he asserted the blogger published all of it to be malicious. This claim fell flat b/c of other elements of the case

The blogger also mentioned that in the past, he received emails from the media guy from media guy’s personal email accounts.  In each case when he received a demand or threat, it typically came from the corporate email.  He intimated that he believed the media guy did this on purpose, to remind him of who he was dealing with and to give off the impression that his employer stood behind him on this. To that end, the blogger had recourse against the media guy’s employer.  There’s a lot to that issue that really has nothing to do with email (it concerns itself with nuances of Principal/Agent relationships) so I’ve left it out of this discussion.

In the end, keep this in mind:

• In general, email is about the least private way you can communicate. If it’s private or personal, email isn’t the venue you want to send it through.
• The advice “Don’t send anything in an email message that you wouldn’t be comfortable showing up on the front page of a newspaper”.  Beat it into your head – THERE’S NO SUCH THING AS A PRIVATE EMAIL. Encryption cam keep it private for a period of time, but if anyone else can decrypt it, you can’t count on it staying private.  Want to know why this adage is so important?
• Backup and storage are very cheap.  Years ago, many companies would save money by getting rid of logs/records/emails older than X years, the opposite is the case now.  Moreover, if you work at a publicly traded company, a private company that contracts with/for the government, or a government agency, there are probably laws requiring that all of those records are kept for a long time.  That varies depending on the nature of the entity, but items like Section 802 of Sarbanes-Oxley have pretty strict requirements for email retention.
• Email disclaimers are pretty much worthless.  Even assuming that one was written perfectly and a sympathetic judge was hearing the case, at best they allow you to seek redress.  They can’t ever stop someone from sharing the information.  Think about the current case of a famous golfer who was having extramarital affairs.  A disclaimer might (and that’s a big ‘might’) have given him recourse to sue anyone who published his emails, but would that do him any good?  Would the amount of money he could recoup from a blogger or one of the women possibly do much for him in comparison to what the revelations have cost him?  There’s no way to sue for your wife and kids back or those endorsements to reappear.  There’s no way to sue for future endorsements that will never materialize.  So even if the disclaimers had teeth, they are a day late and a dollar short.
• Your email will hit several servers between the time it’s sent from your account and the time it’s received by your recipient.  It’s hard to know with certainty how many, or what servers the message will route through.  Additionally, it’ll be very difficult if not impossible to know who all had access to the message. It’s also impossible to know who all will get access or who all will see the message.  It could be sitting on a ton of different backup tapes at each node along its route.  So even if no one read it today, you’re not off the hook yet, someone could look it up and read it 3 years from now.
• Companies and govt agencies have every right to monitor communications sent out through their servers.  Many companies do monitor email. Some more than others and some not at all.  But keep in mind, just b/c your company doesn’t monitor your emails today, there’s nothing stopping them from doing it tomorrow.  Additionally, companies and agencies vary greatly in how much they publicize their monitoring. Some make it well known in hopes of a deterrent. Others do it quietly in hopes of catching the bad guys.  And like everything else, there’s no rule saying they can’t change how much they publicize it.
• Even if a company has a diminimus provision, remember that anything you write on their computers and send through their servers is theirs.  Just b/c the subject matter is your family or your personal info, unless you have it written otherwise, you can rest assured they have legal claim to it.
• VCards might seem like a good idea, but I’d be hard pressed to think of any situation highly personal information such as birth dates, SSN’s, family member’s names or anything else should be included.
• If you put personal information in your autosig, remember that many people you didn’t intend to read it will have access to that information.   If you’re a high profile celebrity , business titan or what have you and you maintain public and private contact points, think long and hard before you include this stuff in an autosig.
• Remember that the correct metaphor for unencrypted email is a Post Card. If anything, the post card metaphor is inadequate b/c email is much more public than a post card.

——————————————————————————————

[tags]db.singles.org, Operation Jesus, Email Security, Privacy, online privacy, password safe[/tags]