On May 7, I posted about the Economist article “Spare us the email yada-yada” that asserted that email disclaimers have no legal effect. Financial Times columnist Lucy Kellaway subsequently waded into the debate on June 5 with her column that described a memo sent by the new Philips CEO Frans van Houten to his worldwide employees. The memo is pretty typical of those beloved by senior executives who wish to set a “tone” for the company and lay out some grand plan as to how the company will live up to the aspirations contained in the memo. According to the disclaimer, Lucy commits an offence by sharing the content because she’s not one of the intended recipients (as if company executives never shared their grand visions with journalists).
Of course, many similar memos contain little more than bland pontifications that add exactly zero value to the average employee. However, the thoughts of the wise and senior executives must be protected and that’s why the technology community has been forced by lawyers around the world to make sure that all outgoing email has some legal mumbo-jumbo appended.
Most disclaimers proudly assert the company’s ownership of the email and threaten that fire and brimstone will descend upon the unwitting head of those outside the intended recipient list who have gotten hold of a copy (obviously by illegal means). And if fire and brimstone isn’t sufficient, anyone who is so unwise as to not immediately delete any and all copies of the said message and erase all knowledge of the content from their brain will be assailed by the combined forces of all the legal professionals that the company can muster. In short, if you so much as open a message and glance upon its content to even figure out why you might have received the email, it will eventually lead to a lifetime of penury, your family will be sold into slavery to pay the legal fees, and some pretty nasty stuff will happen to you as the legal pros extract due compensation for your grievous sin.
Or so the legal professionals who drafted the six-paragraph disclaimer hope. And I guess it’s true that there are situations when the disclosure of confidential information that comes into the possession of someone who shouldn’t receive it will break laws and result in penalties. For example, if you received a memo detailing the draft quarterly results of a public company some days before those results were due to be published and you then shared those results via Twitter or your blog – or sent them on to your stockbroker with a request to sell or buy shares in the company – then it’s true that you’ve probably committed an illegal act that will be viewed seriously by the regulatory authorities in most countries. But let’s face it – the vast majority of email that circulates within a company contains little real value to anyone except the recipients and can probably be immediately deleted without the company falling into chaos, so adding the three-paragraph disclaimer is really the equivalent of strapping a chastity belt onto the most unloved person in the harem (yes, I know that could be construed as a politically incorrect statement, but I feel that the analogy is apt).
Even improvements made in products such as Exchange 2010 where transport rules can produce more graphically intense disclaimers, incorporate Active Directory information, ignore encrypted messages, and not stamp disclaimers on the replies in message threads don’t address the foundational point that only some messages really need to be protected. Applying multi-color disclaimer text to a message may cheer up the IT administrator and prove their mastery over HTML commands, but it’s like slapping lipstick on a pig: nicer to look at but still useless.
The only real way of achieving real protection over the content of email is to deploy a system that allows selective and granular access to the content and the operations that recipients can perform after they receive messages. Active Directory Rights Management Services (AD RMS) can actually do this by allowing senders to select from templates that clearly define what recipients can do with messages after they receive them: operations such as forwarding, replying, and printing can be allowed or denied.
AD RMS isn’t the first software that attempts to solve the problem of protecting sensitive content. I can recall products that did much the same for email in the 1990s. However, all of these products seem to run into similar problems:
- It’s extra software to deploy and maintain (cost, testing, and time implications)
- Specific clients may be required (a real pain if you have to deploy to thousands of desktops)
- Protected messages may not be accessible or function properly outside the boundaries of the organization
- Asking users to selectively protect confidential information is not always the best way to ensure compliance. Human beings forget or make mistakes all the time and some information will invariably leak. Security is not the favorite topic of most users!
Microsoft actually tried to do something about the last point with the combination of AD RMS, Outlook 2010, and Exchange 2010 through the introduction of Outlook Protection Rules. These rules are based on AD RMS templates and work on the basis that Outlook checks outgoing messages for specific recipients (individuals or groups) that are covered by Outlook Protection Rules. If these recipients are detected, Outlook automatically stamps the message with the AD RMS template specified in the rule. Sounds good – and it works, but only if you have deployed the complete infrastructure of AD RMS, Outlook 2010, and Exchange 2010. For now, Outlook Protection Rules remain an interesting exercise in computer science for most companies.
The net result of all of this collaborative effort by legal and IT professionals to protect email through disclaimers is that the text generated simply occupies terabytes of useless and duplicated space in email databases across the world. Not really a good situation to be in but that’s where we are until someone is successfully sued for ignoring the warnings contained in an email disclaimer and the principle becomes respected throughout the world. Somehow I don’t see that happening anytime soon, but I have been known to be wrong before.
– Tony
For more information about AD RMS and Exchange 2010, see pages 1072-1080 (chapter 15) of Microsoft Exchange Server 2010 Inside Out
Thoughtsofanidlemind's Blog 
Pingback: Setting up Disclaimers in Exchange 2010 « EighTwOne (821)