Document Retention And E-mail 174
innocent_white_lamb writes "An interesting column by Jim Carroll about email within companies, document retention, how hard it is to actually get rid of an email, and how all of this can come back to bite you later on. "
Hrm. (Score:1, Insightful)
It gets out of control very easily (Score:1, Interesting)
Re:It gets out of control very easily (Score:2)
Re:It gets out of control very easily (Score:3, Interesting)
Oh I don't know - GB sized .pst files anywhere seem to give Outlook fits. I'm alwasy amazed at people who have all their email in ONE folder and complain about sluggishness. They're amazed when we tell them they can file stuff in folders both on and off the server.
As for storage of email - I've never really figured this out. Yes, some companies log email, etc, etc. Stuff gets caught on backup tapes, etc. But even then stuff drops out after a while. As an IT manager, I'd almost WANT to ditch email serve rbackup tapes after 6 months to a year, less legal hassles :)
Besides - if its not on the server or the defendants machine (IANAL) - its tough to use as evidence - I mean you can spoof an email easily if you're the plaintiff to make it LOOK like someone sent something. Now do courts understand that? I doubt it :)
Re:It gets out of control very easily (Score:2)
Re:It gets out of control very easily (Score:2)
Re:It gets out of control very easily (Score:2, Insightful)
I keep everything too:
du -k ~/.netscape/nsmail /home/ethereal/.netscape/nsmail
...
296495
This is for almost four years at this particular company. I'm not up to boss-like standards (of course, the fact that I can communicate without using .doc and .ppt files probably helps) but it's still a hefty archive.
Is it useful? Often it is - I have exact records of all my correspondence for the last four years, sorted by date, topic, etc. as I want it. And when all else fails, I can grep for the text in the message that I want. Of course, it helps that I religiously file mail into folders so that my inbox only contains email about tasks I haven't completed yet.
Frankly, I don't see how I could live with the example quoted in the article of deleting everything over 30 days old. I would be unable to function without reference to technical discussions, product release information, and the latest management diktats from 30 days, 3 months, or even three years ago (OK, maybe I could live without the mgmt stuff :). Do these companies with such a destruction policy just convert all their important email into other documents so that they can maintain state past 30 days? I honestly don't understand how you could just throw all that information away and hope to keep your business rolling forward. Maybe someone can enlighten me...
Offshore email servers (not just with HavenCo) (Score:5, Informative)
This is one of the main reasons people put email servers offshore now, even if they're operating onshore. This got started with HavenCo's gaming clients, but we now have general-purpose mail server customers who just want to company with their existing onshore document retention policies without the risk of someone subpoenaing their mail server and then trying to recover the disk.
One of the features I'm working on now is some basic intelligence to detect out-of-character behavior by a mail server client -- such as attempting to download all messages, which would indicate they've been subpoenaed. If that happens, then we would attempt to contact the customer and get positive confirmation that they are *not* being investigated before allowing the transaction to continue. It's a trade-off between allowing normal function and protecting against legal attacks.
Perhaps an extension of normal document retention policies for companies can be to keep them locally for 3-6 months, then move them to offshore "cold storage" where they will only be released when the offshore agent holding the files is certain a request is not due to legal duress. Trade a bit of latency for a lot of security, and otherwise the documents get destroyed anyway.
Re:Offshore email servers (not just with HavenCo) (Score:1, Insightful)
Re:Offshore email servers (not just with HavenCo) (Score:3, Interesting)
The ultimate system would involve secure laptops with no local unencrypted state -- using RAM for cache, and/or encrypted disk, but requiring connections to a non-US location to unlock the encrypted disk each time the machine is used. You could easily replicate the unlock servers for fault tolerance, and with a cell modem you can easily get a few hundred bytes exchanged from almost anywhere. Desktops and local servers could be handled the same way -- no local unencrypted state when powered off, and no way to unlock them without positive assistance from outside the jurisdiction, which would be revoked if there is evidence of an attack.
Re:Offshore email servers (not just with HavenCo) (Score:2, Insightful)
Saying "secure server" and "secure client" doesn't cut it. As long as I have reasonable access to my computer, I can make a copy. If the computer can display it for me to read, I can copy it.
Surely SeaLand protects against something else completely!
Re:Offshore email servers (not just with HavenCo) (Score:2)
Sure, you can "copy" it by hand, but then it's just your word against theirs.
Note for the humor impaired: Yes, I'm kidding. At least I hope I am.
Re:Offshore email servers (not just with HavenCo) (Score:5, Insightful)
There's no need for any legal request for the email - employees will dig them out to protect their own backs and to break the backs of others!
Doesn't matter where the server is, or how many you have there's always going to be masses of duplication - local folders holding copies and such like. How do you handle this? Putting your server on a piss-forsaken rock isn't going to help!
Re:Offshore email servers (not just with HavenCo) (Score:3, Insightful)
There are threats from inside and threats from outside, and having a document retention (==destruction) policy will protect against outside threats. It will not protect against employees blackmailing their employers.
However, if an employee keeps copies of mail in violation of a document retention policy, that employee can be sued separately. I imagine federal whistleblower laws might offer some protection, but in the case of a civil suit between companies, if an employee maintains a banned archive and then sells access to that archive to the other company's legal team, the employee is likely to suffer.
Re:Offshore email servers (not just with HavenCo) (Score:2)
It's just that Joe Programmer being fired because he couldnt prove the customer asked for what he provided and then the customer changed his mind later doesnt exactly make the news headlines the same way.
Re:Offshore email servers (not just with HavenCo) (Score:2)
I know what you're going to say to that: the users could easily save local copies of the message to their hard drive. If the company standardizes on an in-house e-mail client (or a mail client that comes with source code), then they can remove any features that they don't like, such as saving local copies.
It doesn't stop someone from printing out an e-mail, using cut 'n' paste, etc. However, it's a lot better than using POP.
Re:Offshore email servers (not just with HavenCo) (Score:1)
If I worked at such a place (while I was looking for another job), you can bet I'd be archiving everything that might ever be relevant. In fact, if I were ever involved in legal action against them, my lawyer might just make some hay of the lengths to which they went to try to keep me from preserving the evidence against them.
Re:Offshore email servers (not just with HavenCo) (Score:2, Interesting)
Re:What is so funny. (Score:2)
The one off the US coast even has a mutual protection pact with the US.
Re:Offshore email servers (not just with HavenCo) (Score:3, Informative)
I'm unclear about this. If they get a subpoena, it could be worded such that it's the mail they're interested in, not the physical storage device. In JWZ's account of the subpoena'ing of Really Bad Attitude [jwz.org], they didn't seize any of Netscape's servers, they required Netscape employees to print the whole thing out. If a court orders the company to deliver copies of their email, and they refuse, they're in contempt of court which is an offence in and of itself. And if HavenCo assist them, while it may be perfectly legal under Sealand's judicial system (assuming you have a formal set of laws there), don't forget you are surrounded on all sides by the EU who aren't above applying their own laws outside their jurisdiction. Witness pressure from the EU and US on offshore tax havens.
What if they take out an injunction against your upstream bandwidth provider(s)? What if they send Customs and Excise agents to raid you, as the UK has done to vessels at sea suspected of smuggling? (Backed by a Navy frigate and detachment of Marines, usually). What if you personally are arrested as soon as you enter an EU country?
I'm not saying that it's impossible to provide such a service, but that it's becoming increasingly difficult.
Re:Offshore email servers (not just with HavenCo) (Score:3, Informative)
The employees of a company would first receive a subpoena in the discovery process to turn over all relevant mail. If the employees refuse to comply, they will be found in contempt and locked up indefinitely.
However, they can only comply if they are technically capable of complying. It is not contempt to say "that document was shredded a year ago in accordance with our published retention policy", if the document was actually shredded. If recovering mail is blocked by a systems administrator located outside the jurisdiction at hand, then it would be technically impossible for users to recover the mail, and then they would be ok.
It would not be acceptable for someone who receives a subpoena to delete his own key locally and thus lose access; that would be considered a willful obstruction of the legal process. But it is perfectly acceptable for an overseas party not named on the subpoena (or not served) to take arbitrary actions, and it's acceptable for a company to contract with an offshore agent to undertake security monitoring of a site and lock off access in the event of any suspicious activity.
(I would be amused if these slashdot postings themselves ended up in testimony when we finally have a test case on the email servers)
Re:Offshore email servers (not just with HavenCo) (Score:2)
How would you deal with the case that you mentioned, if you detect suspicious activity, call up the customer and ask if they really meant to be downloading their entire archive? They would have no choice but to say yes, they really did want to. If they did say no, they're busted.
And signing a contract that stated that you would be blocked from accessing your own email if a subpoena was served puts the customer on uncertain legal ground. Basically, I'm saying that the court would find contempt at the very minimum.
Re:Offshore email servers (not just with HavenCo) (Score:1)
That's fine. The court has the CEO locked up for contempt until the contents of that offshore mail server are delivered for discovery. Or the judge signs an order allowing hired stormtroopers to take every PC in the company for forensic analysis. Problem solved. Or am I missing something here? I imagine judges look dimly upon such blatant attempts to conceal evidence to protect against what you're calling "legal attacks" and that they call "justice."
Re:Offshore email servers (not just with HavenCo) (Score:2)
If an offshore party refused to assist the subpoenaed party in taking an action, the onshore party would NOT be in contempt of court, provided he could not take the action alone anyway, and provided he had not instructed the offshore party to destroy documents or whatever after the subpoena was received (but rather, the offshore party continued to operate under a pre-existing contract presented to the court), the CEO would not be in jail.
(Certainly this was true some time ago. The RIP Act in the UK may complicate things for those in the UK, and there might be civil lawsuits against the company for contracting with a non-cooperative offshore party in the first place, but this is far less than the original case)
As for liability on the part of HavenCo for continuing to respect a lawful contract even once our counterparty has legal difficulty in another country -- perhaps. As far as I can tell there is not a lot of precedent here. The Sealand Government would presumably receive legal requests from overseas governments; it would be a violation of Sealand Law to comply with them. The analogy is offshore trusts, where if a doctor for instance is sued for malpractice in the US, the offshore trust will not turn over assets, which has been tested repeatedly. The US specifically has engaged in "trust busting" with respect to fraudulent forms of trusts used for tax evasion, but the general concept of trust is respected greatly in most other common law countries, and aside from tax issues and criminal investigations, in the US as well.
Re:Offshore email servers (not just with HavenCo) (Score:1)
So long as a company has either (a) assets in the US that can be seized and sold or (b) people in the US who can be locked up for contempt citations, it does not matter where the data is so long as the US company controls it.
If a grand jury or a party to a civil suit subpoenas a company's mail server's harddrive and the company is unable to get a judge to throw out the subpoena, saying that the hard drive is not in this country is not an excuse. The company must turn it over or risk sanctions including just being handed a loss in the lawsuit.
The offshore agent not releasing files without certification that the request is not due to legal duress is a nice move, but one that isn't 100$ effective. People who have tried to hide assets in off-shore trusts with similar provisions have found out the hard way that if the government is determined enough, it can make it worth your while to bring the assets back to this country.
Re:Offshore email servers (not just with HavenCo) (Score:2)
The US's trust-busting is primarily focused on tax and criminal investigations, and requires the cooperation of the offshore jurisdictions in which the trusts are domiciled. Sealand Law would make it illegal for the Sealand Government or HavenCo to comply with any requests for the data.
Not a solution (Score:1)
Re:Not a solution (Score:1)
Re:Not a solution (Score:2)
The overarching principle is that the party having received the subpoena is not capable of taking the action, and does not contribute to the action being prevented.
Off shore ? (Score:3, Interesting)
Placing/using an email Server 'off-shore' offers not more protection than refusing to hand over the messages in the first place, you will be in contempt of court and go to jail until you agree to turn them over. FACT!
Causing the destruction of evidence is a crime, in most countries, even if it is carried out by an agent. So in most cases, all 'HavenCo' will achieve is to further incriminate.
BTW: How does a mindless commercial plug warrent +5 Interesting ?
Re:Off shore ? (Score:2)
.. BUT, this assumes that the mail is known to exist.
What if I deleted everything which I didn't want seen, then supplied the rest.
How would you know if I handed over everything or not?
If you can't see any advantages, you're not thinking evil enough - you'd never make a CEO of Enron!
HavenCo will destroy Sealand (Score:2)
I am the CEO of a UK-based company. I send documents to you, with the instructions "Give me access to these documents on demand, unless you think I'm being subpoenaed". Then, when the subpoena comes, I'm supposed to tell the court "I can't give you those documents; I'm paying HavenCo not to give them to me"?!
I effectively made a contract with you designed to obstruct justice. They'll just lock me up for contempt until you hand them over. In that case, are you still planning to keep them locked up forever while your customer rots in jail?
You must have gotten Prince Roy pretty wasted before he signed the contract to allow you to do business in Sealand. He must be regretting jumping on the Internet bandwagon about now. This behaviour will eventually prompt Britain or the EU to take action and dissolve Sealand, and you won't care because it's not your little-recognized sovereign nation you destroyed with your shady business practices.
Re:Offshore email servers (not just with HavenCo) (Score:3, Informative)
I represented an American investment bank that was stiffed on a deal with a foreign company. The fact that many of the relevant documents were scattered throughout Asian offices of various companies made little difference in our ability to force our opposition to produce many boxes of documents, including email stored on off-shore servers.
I'm not sure why you would try to detect if your customers are being subpoenaed. Why would you disallow your own customers to download their own documents? If you think you're helping them by refusing to allow them to comply with a subpoena, you're mistaken. Companies that intentionally put themselves in the position of losing control of their own documents to avoid legal process will not be treated kindly by courts. I can think of little better news than opposing counsel coming to me with a sob story about how his client's agent refuses to turn over the documents. In the case of third-party subpoenas, such tactics would quickly result in mounting sanctions.
I can see reasons for getting documents offshore. From a legal perspective, though, this does not do much good. I hope your service wins a lot of customers. I can't wait to litigate against somebody dumb enough to hide his documents in this manner.
Re:Offshore email servers (not just with HavenCo) (Score:2)
Why not give them two passwords. One for "normal" use, and one that automatically flags your alarm system. They can ostensibly be "complying" with the court order while at the same time having your system automagically alter or destroy all the "good stuff".
Re:Offshore email servers (not just with HavenCo) (Score:2)
Because if they "win", you can be sure that SeaLand won't be allowed under Sharia.
From the article.... (Score:3, Funny)
1.4 Billion SirCam "I send you this file for advice". Probably.
Easy and secure delete (Score:3, Funny)
NB. This method works best if this is also the only copy of said information.
What about the benefits (Score:4, Interesting)
What about a story on the benefits of keeping old emails? I'm tired of hearing about the costs.
Fucking lawyers. Oh, my mistake. It isn't the lawyers, it is the legislators. Fucking legislators. Oh, my mistake. It isn't the legislators, it's the voters. Fucking voters. There, that's better.
jkljkl
HERF gun (Score:2, Funny)
Lotus Notes (Score:2, Insightful)
And as to it comming back to bite you... Don't do anything bad.. Be open honest and totally transparent in all your business dealings.. then nothing can come back and bite you.
:-)
Interesting moral position (Score:5, Interesting)
I find it fascinating that people openly discuss ways of destroying evidence in case of possible legal action. Is this going to be a standard MBA course from now on: "How to cover your tracks" or "Case Studies: Failures in Shredding Policy from Watergate to Enron"?
It makes you wonder why nobody looks at it from the opposite side. If you don't do anything illegal then your e-mail archive could prove valuable for your own defense. Trading companies, for example, keep all records of customer interaction, including phone calls, for use in the event of a dispute. You can never claim that your broker did something without authorisation because they archive everything.
Re:Interesting moral position (Score:4, Interesting)
Re:Interesting moral position (Score:1)
Re:Interesting moral position (Score:3, Informative)
It's not just about destroying evidence that could be used against you, maybe. I'm not in Records Management, but I bet complying with a subpoena is a lot easier when there's simply less email hanging around--if you have a good, enforced retention policy, you can honestly say "Here is what we have. We don't have anything older than n days, according to policy," and save thousands of dollars in staff time that would have been spent mounting old backup tapes and cruising employees hard disks trying to honestly comply with a court order.
illegal (Score:1)
Have you ever, um, looked at legal statues? Just law, mind you, not "case law", i.e. every case ever litigated.
I have, in support of a project I work on. Just one narrow area of law, in one U.S. state. I tried to limit it to just the statutes, but I also had to look at some regulations and "policy", i.e. how the agencies involved chose to interpret the law.
It's insane. Maybe, with an army of lawyers, you could sorta comply with everything. Except the parts that are contradictory, impossible, or just too vague.
I doubt if anyone avoids "illegal" activity even in their personal lives, and it is actually impossible for business or even government, any complex entity. The problem with email and other electronic retrieval is that the normal wiggle room of life shrinks and shrinks. Aha, they did something illegal! This is done to make Joe Blow think the accused has done something actually immoral, when it could just be some absurd technicality, or just the sheer weight of things to comply with.
By the way, big business, the bugaboo of /., doesn't really mind this situation much. Makes it so hard for some upstart competitor to emerge and compete.
Re:Interesting moral position (Score:1)
I am not advocating the destruction of documents to hide things, however for the general case, once a new revision of some document is out, everyone needs to trash their local copy. Formal document control programs are great for handling these kinds of things and helping to enforce protocols like this. Not to say a user can work around them, just any little bit helps.
I am sure this will turn out to be an intresting legal discussion for some time to come.
all this seems strange to me.... (Score:4, Funny)
Then the CEO told us to auto delete mail older then 90 days... well the exchange server crashes took care of that too
Re:Exchange 2K (Score:2)
So what? (Score:4, Insightful)
I'm having a hard time figuring out what his point is. He's saying "we need a policy for archiving e-mail" and then he talks about Enron, where any policy regarding e-mail would have resulted in evidence being destroyed. Is he saying we need to start pre-emptively destroying email in case there's something incriminating in it?
"Digging up the dirt" isn't a new problem. Back when everything was done on paper, you could make copies and stash them somewhere, so shredding the original was never enough to ensure the document didn't exist anymore.
And as for saying "e-mail will play a role in many other unfolding corporate stories", well, duh!
Re: (Score:2, Funny)
Keeping what you need... (Score:2, Interesting)
It's also annoying because I get a lot of informational mail that I "need" to keep. So it's either print them out or lose them. Well it would be if it worked right.
Re:Keeping what you need... (Score:2)
Bonus points: if the hammer is threat of termination, how does the company catch the employee, save for pervasive, big brother type monitoring?
Re:Keeping what you need... (Score:2)
lack of regulation & lack of understanding (Score:1)
for example, my boss, God love him, has no idea how email works from the server end. frankly, we would-be administrators don't have the best understanding of it either.
with this in mind, i think one of the most interesting things to see is how any document retention scheme would be implemented by many smallish and medium sized businesses. of course, i'm thinking that we may not have the appropriate skills or facilities to carry out a doc reten policy that the government might impose. the other possibility -- more likey in an Enron case, is that employees might purposefully botch such a policy.
MS communications (Score:3, Funny)
All communications happen in closed door sessions.
Verbal communications are also discouraged.
Most of these meetings are like a game of charades.
Netscape history (Score:5, Interesting)
http://www.jwz.org/gruntle/rbarip.html [jwz.org]
A very good example of how essentially harmless email can be seriously misinterpreted.
Slow decay is easy... (Score:2)
On a related note, I find people that put things in email they would not put on ordinary paper quite unaware of reality. Don't they know there are devices called "printers", that can put emails on paper? Don't they know that email obviously is "written text"? Except for being far more convenient, I assume that an email is a written document, that will be stored by whoever I send it to.
Re:Slow decay is not mag tape (Score:2)
Very high quality tape? I have to admit I don't have personal experience with old tapes, but I heard in several places that the oxide layer is flaking off on some of them and the read signal gets very weak with time.
The copy-trough-effect also degrades ordinary tapes when they are unwound and rewound (as in "playing" them). I also have several 5-8 year old 3.5" floppies that have become unreadable because of weak read signal.
Anyway, I will accept that my time-frame is wrong if you say your old tapes are still good.
Don't Use Email for Everything (Score:3, Informative)
The lesson? Don't use email to distribute that 10 MBib presentation. If you have a memo, then email everyone a link to it and set the web server to spit out a no-cache HTTP header with the page. If you have a file to share with some people, put it on a file server and give people the link via an email, but don't just attach the little bastard file, which probably isn't so little anyway.
What is the legal status of email? (Score:5, Interesting)
Emails can be forged so easily, how is their authenticity established?
I guess any decent sysadmin in the world could show the court a whole bunch of threatening emails from the CEO of his company, what would a court do in such a case?
Re:What is the legal status of email? (Score:3, Informative)
Courts aren't like the movies. In real litigation, the parties don't have many fights about whether a document is what it purports to be. They have fights on how to interpret the document, but not about whether it really came from the CEO or not.
The reason for this is that email is largely self-authenticating. Most litigation involves at least one party that is a company. All but the smallest companies keep track of their email automatically. When the request for documents comes in, IT does a keyword search, dumps a bunch of emails to a CD-ROM and hands it to the lawyers. The lawyers filter the emails and hand over the relevant ones to the other side. The lawyers keep their clients reasonably honest.
If a plaintiff comes up with an email that the other side doesn't have a record of sending, they'll have a battle over whether it is real. Both sides present evidence and the jury or the judge makes a decision as to whether it's an authentic document or not.
In a company of any decent size, the person keeping track of emails and other documents is not important enough to have his or her ass on the line. If they are asked to forge or destroy documents, they'll either refuse or else they'll be extremely willing to talk about it. If there is ever a trial over Enron, we'll see a parade of paralegals, secretaries and mailroom clerks testifying about shredding documents until 3am every night. These things have a way of getting out.
So: If a sysadmin forged a bunch of emails from the CEO, the court would either let the jury decide if the emails were real or, if it their authenticity were very clear, rule on the issue before trial. It would be up to the CEO and his attorney to show the court why these aren't real. If the sysadmin gets caught forging, he probably goes to jail for a little bit.
Re:What is the legal status of email? (Score:2)
I was going to say that most of the email sent and received in my corporation is not digitally signed.
I used to get laughs from coworkers by sending them messages with the name of the CEO in the From: field.
I can see the legal battles of Bill Clinton continuing as his sexual misbehavior is further detailed by all those Usenet postings to the alt.sex sites...
However, it's a good point. I think in the future that important emails will get my digital signature, even if puzzled recipients don't know WTF GPG is.
I suppose... (Score:2, Funny)
Re:I suppose... (Score:2)
Encryption? (Score:2)
Of course, I'm sure some will say this is beside the point. Nothing stops employees from printing/saving email, especially if they WANT to incriminate the company. I don't think email makes this more of an issue than non-email incrimination does, however... just don't talk dirt in your email, duh?
Email security (Score:1)
Don't say anything, anywhere, that you don't want repeated.
Don't do anything, anywhere, that you don't want to be held up for.
Be aware of your email.
Oh, and use a decent email client/server solution. Use IMAP so that you only have one mail store. Delete old files.
And beware... Big Brother IS already watching a LOT of people.
Re:Email security (Score:1)
Besides, that, though, I delete my e-mail that's over 6 months old every month, and assume that if any info were that important it would've been copied.
I would also argue that e-mail is not *more* dangerous. Who was to say that an employee didn't make a secret photocopy of a paper memo and sneak it out of HQ?
Same old problem... same answers
Government email (Score:4, Informative)
What this means is that anyone can walk into any State agency and under this act require that the agency provide copies of it's email.
There is a charge to cover costs and a waiting period to allow the information to be gathered.
This can cause real problems for agencies that delete email without a policy covering the removal of this information. Basically, if the agency deletes email without such a policy they can be required to "recover" their email. If they don't have the expertise to do so they can be required to contract out to a company who does have the ability. This could cost them tens of thousands of dollars.
Better to have a policy and to stay within the guidelines!
New product for business email (Score:1)
Forgot the URL! (Score:1)
Bad news (Score:2)
This morning on the radio... (Score:2)
Now there's a ready-made excuse for Enron...
It's not just about destroying evidence (Score:5, Insightful)
However destroying evidence is only a small part of what this debate is about - it just makes for the flashiest headlines.
The issue is about the way email is used - many people write emails with an informality similar to speech, forgetting that email often has a 'lifespan' equivalent to many physical documents. When you also consider that emails are being used as documentary evidence in legal cases this begins to be a cause for concern. Why? Because people don't always express themselves precisely and may give a misleading impression - especially if the email is taken in isolation.
And it's not just the informality it's the 'working document' status of email. Let's say a particular business decision is the subject of scrutiny in a legal case, and let's say it was a decision reached after some discussion. If that discussion took place in a meeting then the documentary evidence would be the minutes - which would express the decision reached. If that discussion took place over email - would you be able to discern later that an email saying "We should do X" was expressing the final decision or merely a point of view in an on-going discussion? What if you had to prove than Y not X was the final decision?
So the policies that need to be implemented are not necessarily about covering up wrong-doing, they are about making sure that documents (emails) which may be treated as written communcation, have the clarity and riguor that they need. If they are informal working documents then they may need to be either clearly marked or destroyed at an appropriate time.
In my view the heart of any sensible policy should be education about how to write emails appropriately. The guideline I always use is "am I still happy to send this knowing that my customer/competitor/a.n.other could potentially see it one day?" If the answer is no then the email either needs re-writing or possibly a different form of communication is needed.
Not so simple (Score:2, Interesting)
Another aspect to this that seldom gets mentioned is the notion of one-sided archiving: Two people in negotiations have a dispute about how the e-mail-based conversations went, and only one can produce the prior e-mails (and often selectively at that, leaving out the ones that don't support his/her side of the argument).
About the only solution is to be as careful as you can about what you put into e-mail (in all iffy situations make explicit references to all pertinent correspondence and other docs), and make sure you can retrieve everything from your past e-mail when needed.
Two points on this (Score:2, Interesting)
Some people are super efficient - their inbox is virtually always empty, anything they need to keep is moved more or less straight away to a permanent folder related to the subject, and anything they don't want to keep is deleted.
If I look over my shoulder at some of my more senior (chronologically speaking) colleagues, their inboxes are a mess. They can't recall email on a particular topic, they don't process incoming email into sensible subjects, they just let it pile up. Then I hear them complaining that they get too much email.
Secondly (and perhaps more ontopic) is the matter of physical document retention.
Many companies simply retain everything, and the cost of storing these documents mounts up and mounts up. People have the attitude that "we might need it some day". Yes, you might.
But you might not.
Cost of storage of every document ad infinitum = $x.
Cost of impact of not having a document at some arbitrary time in the future = $y.
If $y is less than $x then why are you keeping every document by default?
Or don't you know what x and y are?
I think.
On public "radar" since 1987 (Score:3, Informative)
I'm a little surprised the article didn't mention the greatest email bust of all. In 1987, the questionable para-military funding activities of USMC"Lt.Col.OliverNorth were uncovered partly by an investigation of messages that he thought he'd deleted from the White House's internal email system.
North hadn't counted on the "deleted" messages showing on backup tapes.
Partly because of this smoking-gun evidence, North was convicted in 1989 [heroism.org] of aiding in the obstruction of Congress, accepting illegal gratuities, and destroying documents.
North's conviction was later overturned (with great irony considering his status as a law-and-order conservative icon) on a legal technicality.
Document Shredding (Score:1)
Can't say I agree with the policy entirely, but I'm just a worker bee.
I like the Poll (Score:1)
Tech News Poll
Should websites stop running online polls
because they are unscientific?
[] Yes
[] No
[] Don't Care
No CowBoyNeal option, but funny question !
Outsourced Email/Better Internal Solutions (Score:2)
Along the same idea as Microsoft's software subscriptions, this could be the email model of the future. Now we throw in the factor that companies may not even be in control of where/how their documents are being destroyed? Assuming, of course, that it is possible to destroy all evidence of an email. (Due to the nature this could be quite difficult)
I know that even with on-site, 100% controlled email it has proven difficult to find a good way to enforce a document retention policy. Users (and I'm no different) have tendency to want to horde their past emails, text index them, and search them from time to time, as you never know just what pieces of the past, from two weeks to two years, might prove useful. You can restrict the size of a user's mail-file size, but this only restricts how much the save and not how far back they can save. As of right now, mail servers don't seem to take into account an enforced document retention policy. Will a "Delete Documents Older Than:" field appear as an option on newer versions of Exchange or Domino?
Plead the 5th (Score:5, Interesting)
A corporation [lectlaw.com] is a legal construct designed to give a business the same rights as a person, right? If so, in the face of a subpoena duces tecum [lectlaw.com], why can't a corporation plead the fifth amendment [cornell.edu]? I assume there's a clear legal answer, but IANAL.
Re:Plead the 5th (Score:2)
Re:Plead the 5th (Score:2)
That's no different than saying the evidence in question is in a closet and only the CIO has the key.
The court can legally compel you to hand over the key. If you don't do it, you go to jail for contempt, and they'll break the door down anyway.
In the case of encryption, it's possible that officers of the court may be unable to break down the door. Fine. But then you're still in jail, which is what you were presumably trying to avoid with encryption in the first place.
Re:Plead the 5th (Score:2)
Re:Plead the 5th (Score:2)
Turning over an encryption key would not qualify as testimony, for several reasons. The most important one is the fact that, under those circumstances, you wouldn't be placed under oath.
The fifth amendment's primary purpose is to give an individual an "out" when faced with the choice of confession versus perjury. When you're placed under oath and asked questions by the court, you can opt not to answer those questions on the grounds that you'll either be incriminating yourself, or lying under oath.
Turning over your encryption key, on the other hand, doesn't involve being placed under oath. A summons will show up at your door, carried by your friendly neighborhood police officer, and you can either cough it up or go to jail. At the least, you'll be in contempt of court. At worst, you can be charged with obstruction of justice.
Re:Plead the 5th (Score:2)
You don't get it. Protection from increminating statements only applies during testimony. It doesn't protect you from having to comply to a subpoena.
An encryption key is a piece of material evidence, insofar as it relates to the unlocking of other pieces of material evidence. Providing it is not testimony, and it's not covered by the fifth amendment.
Re:Plead the 5th (Score:2)
Miranda v. Arizona, 1966. Miranda married the concepts of protection from self incrimination (5th amendment) and the right to counsel (6th amendment).
But Miranda also has a scope. The Miranda doctrine only applies if the subject is in custody and under interrogation.
The objective test for "custody" is whether, under those circumstances, a reasonable person would believe, based on an officer's actions or statements, that he or she is not free to leave.
Being under "interrogation" requires that the subject be asked questions that imply involvement with a crime. "What did you see?" isn't an interrogative question. "Where were you on the night of January 21st?" is.
So to protect you from being compelled to answer a question under oath that incriminates you, you have the protection of the 5th amendment. To protect you from being treated similarly in a custodial or arrest situation, outside the context of a legal proceeding, you have Miranda.
Re:Plead the 5th (Score:2)
That's just the thing. The fact that a password exists only in your head doesn't suddenly make revealing it a statement. It's not testimony. It's evidence. There's a really important distinction between the two.
The thing is this: if I (the State or Feds or whatever) subpoena your laptop as part of a civil investigation, then you are legally obligated to turn it over. If you fail to do so, you are in contempt of court for failure to turn over the laptop. This is true even if the laptop, or the files contained therein, is ultimately incriminating to you.
If you turned over just the laptop's keyboard, you would not be in compliance with the subpoena. You'd be in contempt.
If you turned over the laptop, but not the hard drive, you'd be in contempt.
If you turned over the laptop, and the hard drive, but not the password to acces it, you'd be in contempt.
See? A password is not testimony. It's part of the laptop, from a legal point of view. So you can't be protected from turning it over by the fifth amendment.
Re:Plead the 5th (Score:2)
Are there any cases where people have gone to jail for not revealing their passphrase or turning over a private or symmetric key? I am a huge fan of cryptography, but if keys kept in my head can be attacked by putting me in jail, then I'm not so sure it's the best solution.
Re:Plead the 5th (Score:2)
This is clearly wrong. If corporations are to be treated as people, then they should also be subject to the penalties of criminal law.
Mind you, I'm not saying that you aren't speaking accurately, merely that what you are reporting is a moral, ethical, and legal wrong.
Use MS Exchange Server (Score:1)
s no good, go find one that works. ""Sorry everyone, the e-mail server's been rolled-back to last Wed night at 6:00 PM. Sorry for the trouble.""
I can't believe MS got in trouble for having e-mail retained too long, they must be using AS/400's or *nix + Domino for e-mail.
-Krus
how can you prove it. (Score:2, Informative)
The biggest question I have about this is how can they prove that the person whose name is on the From: actually sent the e-mail?
We all know just how insecure e-mail really is and how easy it is to forge an e-mail, so how can these e-mails stand up as evidence. I can see some justification in if the headers show the e-mail coming from that person's workstation's IP connecting to ${CORPORATE_MAIL_SERVER}, but even this is not 100% proof that it came from ${PERSON}.
The next version of Exchange Server (Score:2)
So much for KM (Score:2)
Attitude is the problem, not evidence (Score:2)
"Things will be misconstrued" is a cop-out. How do you misconstrue a direct warning that the recipient is too pre-occupied to do anything about? If there is an explanation, give it. I don't think juries are that stupid. If they are, then we're in alot more trouble and need to work more at educating them, or at least not putting them to sleep in court.
Sure, anything can be taken the wrong way. But the solution isn't to give nothing, but rather to assist people in seeing the right way. Unless there isn't one! In which case, you're guilty, and I don't see why anyone should help you hide your guilt.
Re:Attitude is the problem, not evidence (Score:2)
Redhat (or insert your favorite company here) sales person sends an email to all sales people as follows:
"Do whatever it takes to bring in those customers."
5 years later, unhappy former employee or disgruntled competitor sues the company. All email is subpoened. FavCompany hasn't done anything wrong but the email from sales manager to sales staff is used as "proof/smoking gun" that the company was engaging in anti-competitive business practices.
People can and WILL interpret something in thier favor. I can tell another coworker that I think a particular employee is very fetching in that new dress and the next thing you know, I can be sued for sexual harrasment by someone who overheard the conversation. This isn't from personal experience mind you but it makes the point clear.
You shouldn't need encryption, right? You don't have anything to hide!
These companies don't need to delete email, right? They don't have anything to hide!
Re:Attitude is the problem, not evidence (Score:2)
In your example, this smoking gun doesn't prove a thing _unless_ there was some anti-competitive activity that resulted. If FavCo had a corporate values statement saything they would obey all laws and act ethically [any company large enough to sue would], then that would be a strong defense. But it would ultimately boil down to what people say that the alleged smoking gun meant to them.
If you don't presuppose some level of reasonableness in juries, then you're living under an oppression much more serious than the government can even impose. The prior-restraint and self-censorship is intolerable. Don't live in fear. Sometimes not even if the fears are real!
Email is public speech (Score:2, Interesting)
1) far too many people had root access to the email servers;
2) far too many people could put sniffers/tcpdump on the ethernet; and
3) far too much mail transited through university campuses (Rutgers Univ comes to mind)
We came to realize, and to advise our management, that email was public speech.
Anything you said was subject to being overheard and repeated. That applies to recipients who forward mail, too.
The same eventually was realized about voice mail.
Encryption (usually) doesn't control recipients storing and forwarding your messages.
slightly different environment... (Score:2)
Re:slightly different environment... (Score:2)
Re:CYA (Score:2)