Accidental Privacy Spills

ahem writes "A journalist attends the World Economic forum, and writes an email to a few friends. It's a chatty, casual conference report. The conference is a gathering of the 5,000 most powerful people in the world. The report gives a breezy insight into how stuff gets done at that level, and what the concerns are that keep the world's leaders up at night. That email was intended only for the journalist's friends. That email winds up getting plastered all over the net. Here is a very interesting discussion of the implications of this "privacy spill." Make sure you read down to the Epilogue. Here is the email itself." The Lawmeme discussion is quite thoughtful and in-depth, very good reading.

common example: Word documents

[pohl]

• My wife interviewed with a job.
• Someone in HR uses some other person's job offer (in .doc format) as a template to offer her a job. Sends document in email.
• Wife gets email, but doesn't have Word handy. She's a unix geek, so she uses the strings command to look at the text...screams "WTF!?" at the absurdly low salary offer.
  
• A moment later, realizes that her name isn't "John Smith".
  
• Closer scrutiny reveals what this guy applied for, where he lives, and how much they offered him. It was in Word's undo stack, which travelled with the document.
  
• Wife opens in Word, sees real offer, takes job.
  

Re:common example: Word documents

[phavens]

More then once I've been given a document I can't open but need the information inside (I'm a graphic Artist). So I automatically open it in a text editor so first see what type of file it is... and second see if I can get the info easily (and recreate if necessary).

Word is bad about saving info. You with find previously deleted text, revisions, computer names, account names, sometime passwords embedded into the document. I would have to say that Word is one of the most insecure formats in which to deliver a message.

BTW - this same way has gotten me past passwords more then once.

Can the problem be solved?

[jdreed1024]

Instead of worrying whether it's right or wrong that the e-mail was forwarded around the world, the real question is, Can anything be done to prevent it?

Let's compare it to a real letter, or better yet, a company memo (in dead-tree form), since real letters typically only have one recipient. Let's say a memo gets sent to all 5 members of the HR department of a company. That memo warns that there will be no holiday bonuses this year. It goes on to say that the employees will be informed of this later, but HR is getting a heads-up in advance. Now, one of the HR employees, pissed off about this, decides to scan it, and post it on the company web site. Is he wrong to do this? Most people would say he is, I'll bet.

Now, the question is, why is it so different with e-mail? If I send a printed letter to a friend, I have the expectation that it will not be plastered on bulletin boards around town. If I send an e-mail, people would argue that I can't expect it to remain private. Why? I think the answer is because it's so easy to distribute an e-mail. Clicking the forward button is trivial.

So what's the solution? Disclaimers and confidentiality statements like some companies have on their e-mail? Doubtful. Even if they would hold up in court, who's willing to fight it? How about some sort of flag that specifices whether a message can be forwarded? That smacks of DRM, and no one's going to like that, nor will every client implement it. PGP? Well, that's nice, but once the recipient decrypts it, it's plain text, which can be forwarded. As much as it sucks, we may just have to rely on personal judgement.

So was the person who forwarded her e-mail a jerk? Probably. Should he have asked permission of the author? Definitely. Is there anything that can be done about it? Nope.

Even when they get it, they don't get it

[Eryq]

Even more damningly, a fundamental precondition of technological solutions is the ability to force the other guy or gal to play by your technological rules. Setting the do-not-forward bit on your email is useless unless email clients respect that bit. Therefore: Palladium. Therefore: the broadcast flag. Therefore: certificate authorities. Therefore: the IPv6 Forum. Therefore: the DVD Content Control Association. All of these institutions are devoted to the widespread distribution of compliance. They encourage and/or coerce the adoption of their preferred technologies in many different ways, but the underlying idea is always the same: create a forum within which certain rules of behavior are enforced at the architectural level.

Except that in the case of email, you can't. Repeat after me, kids:

• Anything that can be read, can be copied.
• Anything that can be read, can be copied.
• Anything that can be read, can be copied.

All you can do is make it difficult or illegal. But give me the most-secure email system, and I can probably do any of these:

• I can print the damn thing out and xerox it.
• I can do a screen capture and run the image file through OCR, and email that.
• I can dictate it as I read and record a .wav file (or pump it through a speech-to-text engine).

But by all means, if someone wants to develop a huge expensive system that "guarantees" uncopyable email, be my guest. It'll be good for laughs.

Nothing to be ashamed of

[peacefinder]

I've just skimmed the article (which seems quite good) and read the letter. I can think of a number of reasons the author wouldn't want an e-mail to slip out, but now that it has, I have to say:

That was a damn fine read.

Sure, it could use some editing, but it's not that bad. It's easy to find worse in the print press, let alone on the internet. Besides, that's just form and style... content is what really matters.

And in content, it is actually very interesting and eye-opening. I would be delighted if the author were to write a more lengthy and involved piece on WEF in Davos that actually *is* intended for publication. After this little debacle, it's sure to get a lot of exposure, and I bet she's got a lot more she could say on the subject.

(And sure, the fuss may have all been a marketing gimmick for a forthcoming article. I don't really care, because if so it was really well done! :)

domain name confusion an additional factor

[merlyn]

My domain name stonehenge.com is the stem of a slightly longer domain name of a moderately-sized venture capital company.

At its peak, about once every few days (slower since the dot-bust), I'd get a message directed to an address that bounces into my postmaster recycle bin containing all sorts of wonderfully cool private information: business plans, financial spreadsheets, customer contact lists, credit reports. Obviously, this was intended for the identical address at the VC firm, but the sender (wrongly) presumed that they could shorten that to just stonehenge.com.

What's odd is that nearly every time I responded with my curt message of "hey, you shouldn't be sending private info with big financial impact without either verifying the recipient or encrypting the data", they would come back at me, like it was my fault! Weirder, they'd ask me what the proper email address was, like I knew (or cared).

I spent about 20 minutes one day talking with the IT director at the VC company. I tried to make him understand that ultimately, it was his company that might be held liable for not making their email address clear to the clients they were dealing with. But he seemed to think that all I needed to do was agree to forward the misdirected email. We never did agree on that.

I still get misdirected emails for a video production house in Canada as well.

Why don't people understand that every character in an email address matters?

Re:common example: Word documents

[Xerithane]

It turns out that Windows didn't use to bother zeroing out RAM when it handed it over to an application, so I guess at times you could call malloc() and get random junk from other running applications. And Office of course doesn't actually write files out in a known format, it pretty much just dumps memory out intact (which is why it's such a pain to reverse engineer the file format). The combination of the OS not clearing RAM and Office writing out memory which it had allocated but never bothered using resulted in email headers in Word documents. This was fixed years ago, of course. I kinda missed it, though. I still routinely run strings on Office docs to see what shows up.

Uhm, no, you are mistaken in your understanding of malloc. This is the standard for malloc:

malloc() allocates size bytes and returns a pointer to the allocated memory. The memory is not cleared.

Taken from malloc (1).

It is not the operating systems responsibility to clear the memory of something recently allocated, and it is good programming practice to set the bits to 0 after a malloc unless you know for a damn well certainty that you will fill the entire segment.

Re:common example: Word documents

[golo]

Not really in the personal privacy sphere but I once saw a DEA document that they published in PDF with the name of their agents blacked out. in Acrobat the names were actually blacked out but in OS X preview app you could see them.
I know absolutely nothing about PDF but I assume they have layers.

Ironically it was a report about some Israelis trying to gather information on DEA agents and there they had all their names and addresses published in the internet.

Re:Boo fucking hoo, Laurie

[linefeed0]

I'm wondering, in fact, if she didn't want this e-mail circulated precisely because it reveals a sort of upper-class-wannabee shallow social manner that doesn't reflect well on a professional journalist.

Still, I'm glad I've read it... it's decent news coverage of such a relatively important event. I mean, good use of sources of all types is what journalism is all about... Thanks, Laurie! :-P

Incidentally, this diatribe is from someone who posted a personal note from ex-President Clinton on her website. Presumably with permission, natch, but it's no less private by nature.