The Hamilton Spectator
Thursday, May 15, 1997
pages C1,C2

Watch what you say

E-mail security has lots of leaks

by Marvin Ross, mross@bridgeross.com

Even Microsoft's Bill Gates got caught overestimating the security and confidentiality of e-mail because "people think that e-mail is like water cooler chat" and it's not.

That was the advice of computer law specialist Barry Sookman of the Toronto law firm McCarthy Tetrault who says e-mail has a number of confidentiality problems.

The first, as Gates and others have found out, is the fact that what's said on e-mail may be required to be produced in court as part of the discovery process.

During civil litigation, both parties have the right to examine all documents related to the lawsuit before the court proceeding.

Those required documents now include e-mail.

Microsoft was in a court battle over intellectual property rights and Gates sent an e-mail to his staff encouraging them to "get Stac".

Stac is a California software company that published a disk compression package.

They were suing Microsoft for patent infringement, claiming DoubleSpace in DOS 6 infringed on their LZS data compression.

Microsoft brought a counter claim against Stac.

Sookman said Microsoft claimed the company violated trade secrets because Stac had found a beta or test version of the latest version of DOS on the Internet and downloaded it without permission.

The message from Gates had to be given to Stac's attorneys who kept a blowup of it before the jury throughout the trial.

Proof

It didn't prove anything but planted a seed in jury members' minds.

Stac won its patent infringement case against Microsoft and was awarded $120 million.

Microsoft won its trade secret infringement against Stac but only received $13.6 million.

Gates' e-mail may not have directly affected the trial outcome but in many instances it does.

In 1994, two U.S. West Coast doctors exchanged casual e-mail about one of their patients who had injured his back at work.

The doctors were convinced nothing was wrong with him and one sent an e-mail advising his colleague to "just get rid of him".

The patient's condition deteriorated and he became paralyzed.

The e-mail messages between the two doctors increased and concluded with "we screwed up".

In preparation for the trial, a Seattle-based company called Electronic Evidence Discovery was hired to search the computer files for all records about the patient.

They retrieved 25 e-mail messages thought to have been deleted from the computer.

The result, according to John Jessen, founder of the search company, was that the plaintiff "was happy with his settlement".

The case illustrates another problem with e-mail confidentiality that most people also fail to recognize: Even if you delete your message, it can probably still be found.

Sookman pointed out that in some cases, the actual disk or hard drive was required to be produced in court.

Most people using e-mail do so at work where their own office computer is linked with others in the company.

Daily backup

What they may not realize is that the network is normally backed up every day and the backup tapes are kept.

Although they delete their e-mails, they can be retrieved from the tape.

Sookman said that for this reason, some companies are keeping e-mail in a separate backup file.

That file is kept for 30 days and then purged so the e-mail messages can't be recovered.

David Jones, a computer science professor at McMaster University, said the law requires companies to keep paper records for a certain length of time. Then they can be and are destroyed.

"Now that e-mail has become mainstream, the same policy of a planned lifetime for electronic records should apply", he said.

Jones also pointed out another aspect of e-mail that is often overlooked. People tend to send two types of messages.

The first are the formal work-related messages that must be kept for a planned period of time.

The other set are the informal "water cooler chit chat" between staff to arrange meetings, lunches, and exchange informal gossip or personal information.

Management has the right to look at an employee's e-mail, Jones said.

After all, it is used for company business. If someone is sick or away on business, the company may need to check the information.

They may discover a lot of personal information that should not be there.

In one government office, a secretary left and gave her successor her e-mail password.

The new secretary found several messages indicating her predecessor was having an affair with the human resources manager.

The new employee promptly deleted the e-mail.

Managers have not been clear so far about advising employees on proper use of e-mail, Jones said.

Informal messages could have an "expiry date" and a program would automatically delete all expired messages.

Without that type of safeguard, the dangers for employees are considerable.

The only way to avoid your message being stored on the backup tape is to ensure you and the people you send to delete it before it's backed up.

Relying on others to delete your messages is risky as an Ontario government employee found out.

The example occurred during the Skydome scandal under former premier Bob Rae's government.

A group of provincial social services officials planned a meeting at taxpayers' expense at the Skydome Hotel in a room overlooking the baseball diamond during a baseball game.

The bureaucrat who organized the event did so by e-mail and ended with, "delete this after you have read it".

Someone did not follow the instructions.

The messages was printed and found its way into the hands of then Tory leader Mike Harris.

Even if you delete a file from your computer, it is still physically there and can be recovered by an expert.

All you are really deleting is the reference or pointer to that file as the computer does not physically wipe out the information.

the area where that file resides can now be used by other files and will only disappear when some other information is copied over it.

The only way to ensure information on your hard drive or a diskette is really gone is to reformat it.

That will eliminate everything.

People who work in home offices and others who use e-mail over the Internet are not immune to problems.

Their deleted e-mail messages can also be recovered by experts and they cannot guarantee the recipient will not keep the message.

Sookman said that if you are on an Internet mailing list, the wrong people can get your message.

But more importantly, Sending an e-mail is not like putting a letter in a sealed envelope".

E-mail travels the Internet in packets and bounces from computer to computer before arriving at its destination.

At any one of the computers along the way, copies can be made and read at a later date.

If this happens, you don't know where your message may end up.

Jones agreed this can happen, but said it's illegal to intercept personal communications and users should expect the same respect for the privacy of e-mail as for regular mail.

"It is important to assert the expectation of privacy and work to increase that security", he said.

"If we give away that expectation, then the police could start to monitor e-mail."

Some people are starting to use encryption on the Internet as a security measure.

One program, called PGP for Pretty Good Privacy, enables an e-mail sender to encrypt or code the message just as spies have done for years.

The receiver has a key that enables only him or her to unscramble the message.

The same principle can be used for commercial transactions over the Internet to protect the security of credit card numbers and any other vital information.

Jones said e-mail and the Internet can improve the speed and distribution of leaked documents.

Confidential information on paper is difficult to disseminate quickly for anyone wanting to "blow the whistle" on secret activities.

The manila envelope containing private documents mailed to the press by a disgruntled employee or even faxed is slow compared to Internet distribution of confidential e-mail.

Jones mentioned a confidential e-mail the Canadian Internet provider IStar distributed to its technical staff from its legal counsel.

On July 3, 1996, Margo Langford, the company's corporate and regulatory counsel, sent out an electronic memo listing the Internet newsgroups IStar was deleting because it felt they were used for illegal purposes.

The memo said, "This list is for the information of the technical support staff of Istar Internet only and is not for general distribution to the customer base."

Within days, Jones said, the entire Internet community had access to a copy of the memo which generated considerable debate and newspaper articles.

That confidential memo could not have been leaked to so many people so quickly by conventional methods and is today posted on the Internet.

It is available at http://www.efc.ca/pages/isp/istar-censorship.html

The bottom line for using e-mail is to err on the side of caution.

Don't say anything you might regret later.


Copyright © 1997 by Marvin Ross. All Rights Reserved. Reprinted with permission.