Deleting E-mail Could Get You In Trouble

Sterling D. Allan writes "A story in the Deseret News cautions governments and corporations from deleting legitimate email. Expensive measures are being called into place to archive the mail for future subpoena purposes. Think Enron on one hand. Think Monicagate on the other. Next they'll ask us to keep recordings of all our phone conversations? Big brother gets bigger -- with good reasons, as always. What about all those business propositions I get from Nigeria. Do I have to keep those too? "Get rich from home" (to pay for the purchase of a new hard drive to contain all your spam). One man's junk is another man's treasure. You never know what an IRS agent might find lucky."

I'm not that bothered

[Ckwop]

I have no real problem with companies being subject to tighter restrictions. However, these restrictions shouldn't be too sweeping. If I send an e-mail to my friend using my Work's e-mail address the government should not be allowed to view that e-mail without a warrant.

Moreover, there should be a legal definition of what to keep and what can be tossed. I could imagine something like:

"a message that amounts to an instruction to an employee or specifying of company policy.." etc.

I don't want to store twenty thousand pieces of spam that every user might collect over two years. That makes e-mail quite an expensive tool if you have to do that.

There is one question I do have. Did the government have the power to collect so much information in the past? How many years worth of company paper memo's were stored? I suspect the ability was much reduced so in which case so why do they need so much more data?

Simon.

Re:I'm not that bothered

[Tim+C]

If I send an e-mail to my friend using my Work's e-mail address the government should not be allowed to view that e-mail without a warrant.

But how do they know that what you sent was a personal email, without reading it? When you send an email from your work account, you are effectively speaking on behalf of your company. If you want to send a personal email, you should use a personal email account.

How many years worth of company paper memo's were stored? I suspect the ability was much reduced so in which case so why do they need so much more data?

I suspect that if paper records were as easy to store as electronic ones, they would have required just as much to be retained. A couple of SAN-type things the size of an office filing cabinet would no doubt be capable of storing all the records your company is likely to ever create; the actual filing cabinets may only be sufficient for a couple of years' worth of paper records.

Re:I'm not that bothered

It's not just your e-mail. The infrastructure belongs to the company. I'd be careful about using my work e-mail to converse with friends. Web based email, pocket PC's, laptops, phones and t9 on a break work just fine.

Yes government had the power. And it's not uncommon for companies to keep a lot of paperwork until long after it was useful, occasionally purging all the really old stuff.

Re:I'm not that bothered

[Lakee911]

I don't keep anything that I don't read. If I happen to come accross a piece of spam and I'm dumb enough to open it, it gets kept. Granted this happens once or twice a week it's not so bad. If I don't read it, it gets deleted--Who's to say I ever got it? Email isn't a reliable communication source. Enough said.

Re:I'm not that bothered

[JackAsh]

Actually, I think the regulations are a bit more industry specific. The company I work at is in the Financial Services area, and we are regulated by NASD and the SEC. I believe both have rules for various different forms of communication. 3 years for electronic communications. 7 years for paper xyz forms. 6 years for TPS reports. You get the picture. I've actually seen a huge, 30-page grid of the various regulations that apply to different items - and these were small, 2-line items on each cell of the grid - the number of regulations is staggering.

Other questions come to mind, like what is an electronic communication? E-mail? Instant Messaging? Video Conference systems? VoIP? Regular phone calls? The general answer you will find these days is "yes".

It used to be prior to Enron and Worldcom that most people believed what you don't have can't hurt you, so they'd ignore these regs or at best take a very limited view of their coverage (Joe, you work in the XYZ critical department, so you need to copy all your business email to this mailbox). These days they go for "the whole company gets journaled to an external service provider" type of approach. And apps like Instant Messaging are not allowed unless we have a server to capture all the traffic from the app.

So yeah, if you're a company, big brother can come and get you - or at least one of his smaller, more industry-specific siblings. It really depends on where you are.

-Jack Ash

Re:I'm not that bothered

[0racle]

Well it says cautions against deleting legitimate email so I doubt that those viagra e-mails count as legitimate. Yes the government had these requirements before, several industries, for instance Financial Institutions, are required to hold on to every piece of correspondence to document what was going on, this is more of a reminder that just because its an electronic message doesn't change anything. Not everything is a conspiracy.

Re:I'm not that bothered

[kv9]

> Who's to say I ever got it?

the logs

Re:I'm not that bothered

[moonbender]

Who's to say I ever got it?

The Sendmail log file? :)

Re:I'm not that bothered

[moonbender]

I suspect that if paper records were as easy to store as electronic ones, they would have required just as much to be retained.

Interestingly enough, although electronic records are easier to store than paper ones, they are also far more easily deleted. Deleting email is easier than throwing away a paper letter. And what's more important, deleting a thousand or ten thousand emails isn't a lot more difficult than deleting just one. It's psychologically easier, as well, since paper documents have a more significant, official feel to them.

Re:I'm not that bothered

[ScrewMaster]

so in which case so why do they need so much more data?

Same reason that dogs lick their balls.

Re:I'm not that bothered

[SpaceLifeForm]

The logs don't prove crap. They indicate that it was possible that you read it, but it's also possible that your spam filter tossed it.

Re:I'm not that bothered

re: a message that amounts to an instruction to an employee or specifying of company policy..

hello ckwop,

i instruct you to buy the pen1s enlXrgement pilljs sold at nodoctorneeded.com, as it is now company policy to sckrew your l0ver like never before.

regards,
your boss

lives augustly Chesapeake weaned Goethe races terrains reflex railroad reserpine positing mostly Limerick alloys epithets nebular offsets dearths researches Prague pantheism hasty assumption redundant woodruff indium mickelson horsedom obnoxious

Re:I'm not that bothered

[sql*kitten]

Interestingly enough, although electronic records are easier to store than paper ones, they are also far more easily deleted. Deleting email is easier than throwing away a paper letter.

Except that's not actually true. If you have a paper letter, you tear it up, it's gone. Of course it can be photocopied, but still, those copies can (relatively) easily be found.

Delete and email - what if it's still in your mail folder? Many clients mark deleted emails as such then only carry out the purge when they "compress" the mail store. Maybe there's a copy still on the server, the delete instruction hasn't reached the other half of the cluster yet. Maybe there's a copy on the backup tape. Maybe the system is configured so that mail is logged on delivery, and deleting it from your client doesn't touch the master log.

Deleting email is actually far, far harder than destroying a letter.

Re:I'm not that bothered

[Sad+Loser]

This is a good point, but I go further: I am a doctor and we say 'never write something in the notes that you would not want them to see'.

Similarly we only use our 'official' work emails for the most anodyne correspondence. Anything of interest is between our home email accounts, which are much less likely to get subpoened.

(we are not involved in widespread criminal activity, well not yet anyway - we just don't want our admins to read all our mail too easily. I suppose encryption would be good as well).

Re:I'm not that bothered

All that says is that it was sent. I routinely delete mail off my isp's server without ever downloading it to my email client; I read some of it in my text editor. The spammer (or whoever) sent it has no proof whatsoever that I ever read it. Even if they embed one of those 1x1 pixel graphics, they STILL wouldn't know because a text editor doesn't download and display graphics.

Re:I'm not that bothered

[gnu-generation-one]

"But how do they know that what you sent was a personal email, without reading it?"

It's encrypted. Best possible way of marking your emails as "private", imho, closely followed by interspersing your personal emails with ones containing malicious javascript that your boss' computer is vulnerable to...

Re:I'm not that bothered

[moonbender]

Except that's not actually true. If you have a paper letter, you tear it up, it's gone. Of course it can be photocopied, but still, those copies can (relatively) easily be found.

Well, for one thing, I think you underestimate the paper trail a document can have in any modern burocracy. :) But you're still right, one peculiarity of electronic documents is that they are often retrievable even after they have been deleted. And as you say it's very difficult to make sure something has actually physically been deleted after the delete command has been given, or even to determine whether it was physically deleted or not.

My point was different - that giving the delete command is a lot easier than having to "manually" (in the true sense of the word) delete paper document. Your point is well taken, though.

Re:I'm not that bothered

[moonbender]

All that says is that it was sent.

No, it also potentially tells it was received. Received as in transmitted to your email account. After that it's your responsibility to do whatever you want with it. No, nobody can determine whether you've read it or not, but that's true for anything including real letters (including registred mail), but I never claimed that, I replied to the question: "Who's to say I ever got it?"

Re:I'm not that bothered

[moonbender]

The logs prove that he got the mail, which is all the grandparent claims. Grandparent makes no claims of the logs being able to tell whether you read it or whether you delete it manually or have your spam filter do it.

Re:I'm not that bothered

[compgenius3]

Big brother gets bigger -- with good reasons, as always.

I would just like to say that the road to hell is paved with good intentions

Re:I'm not that bothered

[TheClam]

They taste good?

Re:I'm not that bothered

[ScrewMaster]

No ... because they can.

Re:I'm not that bothered

[Mycroft_VIII]

"How many years worth of company paper memo's were stored?"

Quite a lot actually, 5 or more years worth in some cases. One of my fathers co-workers quit a fairly decent job to pursue his archival storage bussiness full time as he was making A LOT of money storing back records for various companies to keep them in line with various regulations. We're talking acres of storage space for some storage companies.
Exactly what is kept and for how long varies from industry to industry, and a lot of it is 'liability abatement' paperwork kept till the last possible sue by date is reached. Some of course is government mandated, and some is just becaus.
The interesting thing is a fair amount of the regulated documnets kept are because governmental regulations require paper copies, original invoices, etc. and so are actually printed versions of electronic documents that are also stored on backup.

Mycroft

Re:I'm not that bothered

[rgmoore]

I have no real problem with companies being subject to tighter restrictions. However, these restrictions shouldn't be too sweeping. If I send an e-mail to my friend using my Work's e-mail address the government should not be allowed to view that e-mail without a warrant.

There are several things to keep in mind. One is that a warrant would probably be required even if there's already a law mandating minimum record retention time. Law enforcement might try to wriggle around warrant requirements for personal emails recorded on business servers on the grounds that there was no expectation of privacy, but that's just an argument in favor of separating business and private correspondance. If you're worried about the government reading your mail, you really ought to take some steps to make it hard to read.

Another point is that this is far more likely to be applied to civil than criminal law. A typical business is sued by a competitor, supplier, or customer much more often than it is to be criminally investigated. Rules that make lawsuits easier are something of a double-edged sword, but my gut feeling is these rules are likely to be good overall. People who want to launch frivolous and harassing lawsuits don't really care how easy their suits are to win on the evidence, so lack of records won't stop them. OTOH, companies that are contemplating doing something wrong might think twice if they are legally required to retain incriminating documents and could be sanctioned if they're destroyed.

Finally, these rules are also likely to be aimed at government, which is definitely a good thing. Democracy depends on accountability, and accountability depends on access to information. I definitely want strong rules to prevent officials from destroying the records of how they reached their decisions. Doing otherwise is asking for trouble.

Re:I'm not that bothered

6 years for TPS reports

Man can you imagine getting a call from your boss complaining that you used the wrong coversheet on a TPS report you did 6 years ago.

Re:I'm not that bothered

[biobogonics]

Actually, I think the regulations are a bit more industry specific. The company I work at is in the Financial Services area, and we are regulated by NASD and the SEC. I believe both have rules for various different forms of communication. 3 years for electronic communications. 7 years for paper xyz forms. 6 years for TPS reports. You get the picture.

I work in a branch of health care. We took over a small office about a year ago. I just got around to retiring outdated records. What I saw being saved shocked me, even more so since I had to remove all staples and shred it all. I've since made new policy.

We no longer keep duplicate records of phone messages. If it needs to be a part of the permanent record, it gets written in the chart.

Re:I'm not that bothered

[bill_mcgonigle]

If I send an e-mail to my friend using my Work's e-mail address the government should not be allowed to view that e-mail without a warrant.

Encrypt your mail.

Re:I'm not that bothered

If you're worried about the government reading your mail, you really ought to take some steps to make it hard to read.

0MG! d00d! ! 54!d teh 54m3 7h!n6 t0 my b005, 50 n0w w3 411 7yp3 !n l33t!!!!!! c0mp4ny 2001z!

Re:I'm not that bothered

[cyril3]

No. Because no-one else will.

Re:I'm not that bothered

If you're emailing from your work account you are declaring it's *business* email. If you so happen to send personal email via your work account that's your fault. They can read whatever they want.

Re:I'm not that bothered

[kubrick]

we are not involved in widespread criminal activity, well not yet anyway

(Speaking generally here, of course :)

Malpractice is civil, not criminal (I think -- maybe not in particularly serious cases, or would you be charged with something else there?), but you'd likely still find yourself in court and your documents being read. One reason for the precautions... well, there's that and patient confidentiality, which I'd hope most doctors still support.

Re:I'm not that bothered

[0x0d0a]

Lots of good points here:

I am a doctor and we say 'never write something in the notes that you would not want them to see'.

Sad that we live in a society with such huge legal awards taken from medical providers that they are forced to wear false masks to get by.

Similarly we only use our 'official' work emails for the most anodyne correspondence. Anything of interest is between our home email accounts, which are much less likely to get subpoened.

Good incentive for company firewalls *not* to block outbound IMAP/IMAPS, since it encourages people to keep potentially incriminating mail off the corporate mail system.

we just don't want our admins to read all our mail too easily.

The mail and sysadmins are marvelously underpaid beasts, as the damage they can do to a company is phenomenal. They can generally see everything that anyone has written or does -- even the CEO is limited in this respect.

Re:I'm not that bothered

[Don'tTreadOnMe]

The Supremes have already ruled on the nature of e-mail:

From the fine article: Consider the nature of e-mail. Is it akin to a phone call -- fleeting and ephemeral -- or more like a written letter -- substantial and fixed?

Appeals Circuit Ruling: ISPs Can Read E-Mail http://yro.slashdot.org/article.pl?sid=04/06/30/20 14242&tid=158&tid=123&tid=95&tid=1 7 shows us that the Supreme Court does indeed see e-mail as ephemeral. I wonder how that decision affects the retention requirements?

Re:I'm not that bothered

[gnu-generation-one]

"If you're emailing from your work account you are declaring it's *business* email."

Haha. very good. Actually you don't declare anything. In my case, if it's business mail, I move it to a shared folder. You presume too much about other peoples' contracts, or lack of detail thereof.

"If you so happen to send personal email via your work account that's your fault."

Keep telling yourself that as you read your employees' resignation letters. They weren't unhappy about working with you, honest...

"They can read whatever they want."

Did I mention it was encrypted?

I think someone need Gmail!

[aslate]

Seeing as their policy is "Archive, not delete", sounds like the perfect thing for Gmail.

Re:I think someone need Gmail!

[jomas1]

This is actually something the people who run googlewatch.org are worried about. They feel google's suggestion to archive and never delete will cause lots of privacy problems. Here's a quote from http://gmail-is-too-creepy.com/

"After 180 days in the U.S., email messages lose their status as a protected communication under the Electronic Communications Privacy Act, and become just another database record. This means that a subpoena instead of a warrant is all that's needed to force Google to produce a copy. Other countries may even lack this basic protection, and Google's databases are distributed all over the world. Since the Patriot Act was passed, it's unclear whether this ECPA protection is worth much anymore in the U.S., or whether it even applies to email that originates from non-citizens in other countries."

Re:I think someone need Gmail!

[ip_fired]

Well, in view of that information, the problem isn't google, but the law. Personally, I don't care if people read my e-mail. It's quite boring, and I doubt anyone would ever find it useful.

If they would like to see that I'm going to visit my friend in October or call my sister then let them. Important information should be encrypted anyway.

What annoys me are all of the people who want to stop a company from providing a valuable service. The reason why google offers the service that lets you just archive mail and save it, is because some people like to keep their correspondence between friends. I know I do.

Re:I think someone need Gmail!

[jrockway]

Gmail is a classic tradeoff. Do you want the convenience of having your email easily searchable and always available? Or do you want it encrypted stored on a DVD in your safe deposit box?

Personally, I don't have anything to hide. But I certainly respect others that do, which is why I always encourage stego, strong crypto, and Freenet. If you really care, just PGP everything and you'll be OK. Don't trust PGP? Write your own crypto routines (they're pretty simple) OR use a 1-time-pad that you keep with you at all times.

Anyway, yeah gmail is a privacy risk. But I don't care if someone knows that andy needs to meet me at 8:00AM at union station to have coffee... hell I just told you, you don't even need to read my email...

Re:I think someone need Gmail!

[moonbender]

After 180 days in the U.S., email messages lose their status as a protected communication under the Electronic Communications Privacy Act, and become just another database record. This means that a subpoena instead of a warrant is all that's needed to force Google to produce a copy.

Man, that is some crappy legislation.

Re:I think someone need Gmail!

[philovivero]

Gmail is too creepy, because militant religio-fascist police states might read the email? Why don't we point the finger at the actual problem: militant religio-fascist police states are creepy.

Reminds me of something a friend told me in college: "Why is it when someone has an incident with Alcohol+X+Vomiting they never eat X again? Why don't they stop drinking alcohol?"

Re:I think someone need Gmail!

[shufler]

Alcohol is more addictive than generic food X.

That said, I've seen more people who stop drinking Alcohol Y (where Y is one of the many types of alcohol) and start drinking Alcohol Z. They never return to Alcohol Y, and chances are, they end up eating food X again.

Re:I think someone need Gmail!

[rgmoore]

If you're really paranoid, public key crypto is probably a better bet for your email than 1-time-pad. With public key crypto, the weakest link is the mathematics behind the cypher. With a one time pad, it's the security of the pad. Even the NSA would probably have an easier time stealing your correspondant's pad or "persuading" him to turn it over than they would cracking a decent public key cryptosystem.

Re:I think someone need Gmail!

[shm]

So use gmail only for mailing lists. I've started doing that with my gmail account and it works great; especially for the mailing lists which don't have decent archives (or have archives with sucky search functions).

Re:I think someone need Gmail!

[andreyw]

Uh Jon? Its pretty simple to write *crappy* crypto algorithms, unless you just happen to have a Ph.D in Mathematics...

I know you don't ;-).

Re:I think someone need Gmail!

[EvilIdler]

Strangely, other countries would consider e-mail "just another db
entry" straight away, and it MUST be deleted after six months.

In other news...

Companies keep official correspondance.

Treasure, eh?

[justkarl]

One man's junk is another man's treasure. You never know what an IRS agent might find lucky.

Wait, what? Are you saying that IRS agents have small penises, and want to get rich from home, and want to gain a full cup size, and save Nigerian people from occupation?

Re:Treasure, eh?

[Richard+Dick+Head]

Well, what did you expect? Nobody says "When I grow up, I want to be an IRS agent!"

Re:Treasure, eh?

[DreamerFi]

Yep. Explains a lot, right?

Keeping Documents

[Tiberius_Fel]

Seems they consider e-mail to be somewhat akin to the paper way... everything must be documented in x y and z ways. My father's a lawyer, so I have some understanding of what it's like to document _every single thing_ that comes across your desk that's relevant...

I guess the idea is that if ever it came down to a court case, the e-mail records could be easily retrieved and used in the case. And destroying the records would be a crime, I suppose, which would also have it fall in line with what would happen if you were to destroy the paper records.

Re:Keeping Documents

the e-mail records could be easily retrieved and used in the case

Such as in the Microsoft anti-trust trial, where all the "Cutting off their air supply" laundry came out. While that was happening, a couple of the companies I was consulting for decided on a "data retention policy" that involved purging email backups after a short period of time. (If anything was important, the procedure was to print out the email and stick it into a filing cabinet.)

Problem with email is that it's 50% official memos, and 50% water-cooler talk. So you end up with a lot of jibberjabber which may or may not be company poicy.

Re:Keeping Documents

And destroying the records would be a crime, I suppose, which would also have it fall in line with what would happen if you were to destroy the paper records.

For most business sectors (but not all), destroying records is not a crime unless one is either under subpoena or should have a reasonable expectation of the imminent issuance of a subpoena. Many businesses toss out/shred the 'bad' (irrelevant?) and only keep the 'good' (self-serving?) records.

Re:Keeping Documents

[Mister+Liberty]

He has a large audience here, so please have your father explain to us why destroying any records per se, without any other facts or assumptions, suppose you, is /in itself/ a crime. Thanks for that. BJ

Re:Keeping Documents

[jafiwam]

There's regulations for certain industries.

However general purging of records (electronic or not) that do not fall under those regulations is definately NOT a crime.

However, the second you become aware they might (reasonably might) be used in a court case, you are no longer allowed to destroy them.

I purge the old stuff regularly until told to do otherwise for a specific reason. Of course, there is no way in hell I'd be given a budget to keep the stuff... so bit-bucket it goes!

reasonable

[zors]

first of all this isn't a law or something, its an article discussing it. or does the poster suggest that the government being allowed to subpeona email is a violation of our civil rights?

Re:reasonable

[tomhudson]

Good point. Besides, you can always archive it all on an old Maxtor if it has incriminating^H^H^H^H^H^H^H^H^H^Hinteresting stuff on it. Or even to a cheap DVD, and let bit rot take care of it. Or include cover-your-ass emails with forged headers.

It's like any other "suggestion". Eventually, they'll have to specify some sort of standard, and then the lawyers will find a way around it, like usual, for their clients.

Re:reasonable

I store all my old useless email on floppies stored in that magnetic box over there.

Re:reasonable

[tomhudson]

I think I'll start archiving mine on punched tape, and I'll keep it next to the fireplace so it doesn't get detroyed by frost during a cold snap.

Re:reasonable

[CharlieG]

And the sec or someone gets one or two of those, they get a court ruling that you were not in the spirit of the law, and away we go. Or they get the law changed

I know that "back when" (read 10-11 years ago, I was working for an insurance company. There are/were VERY specific rules on keeping paperwork. I was involved with a project to keep claims letters - they had to be retrevable for 7 years from the date they were sent. Fun job, and until that point, they had NOT trusted computers. We kept a complete set of revisions to each letter type (Receipt of claim, approval, denial, etc), a scan of each claims person signature, and all the details of the fill in the blank

The project cost a fairly large amount of cash at that time, but saved a fortune - not in labor, but in RENT. Even with moving "dead" records to offsite storage, you still end up with stacks of filing cabinets - when you figure that floor space can cost up to $800/sq foot, and that filing cabinet takes up say 5 square feet, that file cabinet costs $4000/year!!! Now figure a couple of hundred file cabinets.....

Re:reasonable

[tomhudson]

And the sec or someone gets one or two of those, they get a court ruling that you were not in the spirit of the law, and away we go. Or they get the law changed

I was hoping someone else would get into the spirit of things and post something about "you have punch tape, you insensitive clod! I have to use stone tablets!"

Anyway, as a prior poster points out, this is not the law, this is just a position paper.

Even if it were to become law next week, it cannot be applied retroactively. (Not where I live, where there's a prohibition to retroactive application of laws, but in the US, YMMV).

Make the rules the same as for paper mail

[jonbryce]

You aren't required to keep all the dead tree spam for pizzas, kebabs, credit cards, personal loans, Readers Digest and so on, only that which relates to your business. So it should be pretty easy to make the rules the same for email.

Re:Make the rules the same as for paper mail

[tonyr60]

Relevance and context would be the important issues.

Any document, email etc. relevant to a business transaction should be kept, not only for IR[DS] for for your own business history.

And destroying business documents, email etc. is fine, as long it is part of normal company or business strategy, and it is legal. For example deleting documents relating to a business transaction over 7 years old would likely be OK. Shredding documents at 3:00 am in the morning relating to a recent questionable transaction likely would not be OK

Re:not-yet-mandatory-for-your-own-email

[zors]

no no. not liberals, idiots.

Don't bother me

[Richard+Dick+Head]

I use Dick Head, or Napoleon for all my correspondance. Even if they could get me in trouble, it would be so worth it.

Step forward to the stand, Dick Head.

HEY! Thats Napoleon, asshat!

quota

Well, when I reach my 500mb quota, I have to delete my mails. I have however, created my own mail database in Notes on my network user drive, and moved +1 year old mails to that database.

Re:quota

[ScrewMaster]

We were wondering where you put those. Thanks for the info.

Yours,

J.A.

It's RTFA time...

[kirun]

Salt Lake County is looking at a system whereby employees would decide whether the e-mail is a "non-record" (spam or personal; delete whenever you want);

So, no, we don't have to keep spam.

Re:It's RTFA time...

[zors]

Wow, a new low for slashdot. even the original submitter didnt read the article. Well, more low than new really.

Re:It's RTFA time...

[gui_tarzan2000]

Even so, I wouldn't think they can do much about the people that don't make backups and have a hard drive failure. Or is it in the law somewhere that you have to make backups of your data? Forget company policy, I'm talking about those places like schools, small businesses, etc. that don't make it mandatory to make backups. IANAL so I don't know the law, but I can guarantee that a majority of people don't back up their data and that includes email. I have to ask them where their backup is when a hard drive crashes or the machine somehow gets wiped out. Fortunately most of them save their normal documents on the server but not email.

It almost looks like we're going back to keeping records on paper instead of electronically for archives as the last section of the article suggests. I know it makes sense to keep business related email but you know not everyone is or will, even with new laws. I just don't see this becoming a strict law any time soon because of the cost to make it work. Even the article shows how confusing this whole mess will be before it gets better.

Re:It's RTFA time...

[Dr.Zap]

Not to flame ya or anything, if you read a bit more carefully the article says employees in Salt Lake City can delete spam. The point of the article seems to be that the rules are not clear everywhere and you can possibly be guilty of some sort of breach of the law no matter what you do.

The headline may have been a bit over the top, and confusing regarding this point. I almost posted what you did, but reread it before I posted.

Re:It's RTFA time...

[nwbvt]

New? I would consider it a high point if someone submitted something which they had read.

Re:It's RTFA time...

I'm talking about those places like schools, small businesses, etc. that don't make it mandatory to make backups

Well, it's just going to have to be mandatory. And it better cost no less than $250K/year to maintain for even the smallest business.

Guess the barriers to entry will keep rising. Gosh, that'll upset the large monoliths, won't it. To think they're for this kind of regulation that will keep out upstart competitors... now if we can only require a license and bond before someone programs a computer. After all, without that level of responsibility, someone might tread upon a software patent inadvertantly. Better yet, we need a Program Consideration Council to screen any software ideas with the USPTO and a $2500 application fee to pay for the screening before any code is written. No safety consideration is too minimal!

actually...

[Ignignot]

Next they'll ask us to keep recordings of all our phone conversations?

Actually trading corporations (like Bear Sterns or Bloomburg) are required to record all conversations relating to market orders. That means that some phone lines are always being recorded at all times. This is required by the SEC. You'd be suprised what restrictions are already in place to prevent things like insider trading from happening.

Re:actually...

[Moofie]

I'm surprised by how well it works. Not.

Re:actually...

What? You're trying to say you're not surprised by how well it works, or surprised by how well it not works? GODDAMN YOUR OVERUSED CLICHES!

I have no problem with this.

[teamhasnoi]

I will forward all my work and home spam to the IRS for safekeeping.

Company policy requires email deletion

[britneys+9th+husband]

Some companies have "document retention" policies that require employees to delete email after a certain period of time. It's not to free up space on the servers, it's to make sure the stuff can't be subpoenaed. Many respected companies have policies like this. Many even have tools that make the email deletion automatic, and require management approval to disable the tool.

So maybe this story is really just focused on banning policies like this.

Re:Company policy requires email deletion

[barzok]

Unfortunately, document retention policies often conflict with other policies. At my company, all employees have a 100MB limit on their inboxes - it's a soft limit, but the warnings get nastier the longer you linger over 100MB, until an admin will eventually come and make you clean things up.

So how can I retain my email while staying under the cap? For a while, I archived everything to my network directory. Then I got slapped for using too much space on the server, we're not supposed to keep large amounts of "personal" documents on the network (apparently, my 350MB work-only email archive counts as a large amount or personal documents). So now it's archived to my local hard drive. If those emails are ever needed...no one but me will know they exist.

I'm told that before we were acquired by another company, our C*Os deleted everything from their email as soon as they were done with it. Less than 2MB used at any given time. Given how those guys acted "in the interests of the company" I'm sure they didn't want any of their email brought to light.

Re:Company policy requires email deletion

[Rich0]

My company sets a limit at around 80MB.

I always laugh. I bought a really nice 60GB HD a few months back for about $70-80 or so. My company thinks that about 7-8 cents worth of disk space is unaffordable...

Nobody follows the official retention policy. Not with PHBs constantly denying that they authorized a project or made a decision or whatever...

Re:Company policy requires email deletion

[T-Ranger]

Going with an insanly complex and redundent SAN can cost up to $0.30/mb, as opposed to $0.0013/mb consumer grade stuff costs. But yes, that is a rather insanely small quota for a work account.

Re:Company policy requires email deletion

[Rich0]

The company sent out an email claiming costs in the tens of dollars per MB, which to me just suggests that they are either really inept, or they're including all kinds of non-marginal costs that they'd have to pay anyway.

If I had a single server with a single 10GB hard drive and I paid one guy to maintain it I might have to claim costs of $80/MB - but that doesn't mean that it would cost me that much to add more space...

Re:Company policy requires email deletion

[buysse]

Take a look at the cost for an EMC support contract sometime....

Re:Company policy requires email deletion

[Threni]

> I always laugh. I bought a really nice 60GB HD a few months back for about
> $70-80 or so. My company thinks that about 7-8 cents worth of disk space is
> unaffordable...

It's not the cost of the drive that's the only variable here. It's the fact you'll want redundancy, such as that offered by some RAID configurations. You also want the data backed up onto tape. You need a process to do this, even if the process is just `get Gary to stick a tape in each day`. You also need to move the backups off-site, or at the very least into a fireproof safe somewhere.

Or are you comfortable with the idea of approaching your boss, or the judge, and saying "Well, I bought a $70 hard drive off of Amazon and it said it had a 5 year guarantee..."?

Re:Company policy requires email deletion

[Rich0]

Ok, so multiply the price by a factor of 100 to take all that into account. So now we're talking $7-8 per employee. Would it really hurt to up that spending a bit?

Does this make spam filters illegal?

[G4from128k]

With so many people using so many spam filters, I'd bet that a fair amount of "legitimate " email is automatically deleted by service providers and automated email filters. How can one prove to a judge that SpamCop had a given domain on its blacklist on a given date or that the sent email did not accidentally contain some filter-triggering word on that date? It seems that either spam filters create a legal risk or that the legal system has a naive view of the legal standing of email.

I reality, email is no better than a slip of paper tossed an the front yard of the recipient. It has a greater chance of being thrown in the trash than read.

Re:Does this make spam filters illegal?

[bill_mcgonigle]

I reality, email is no better than a slip of paper tossed an the front yard of the recipient. It has a greater chance of being thrown in the trash than read.

Quite true. I'm receiving about 25 Megabytes of mail a day, about 10% of that makes it past spam/virus/slashdot-troll filters.

It won't be long before "that message must have been deleted by the spam filter" is used as a defense.

Re:Learn from google...

This might actually be a pretty good business idea for google... offer corporate (secure) e-mail---for a fee of course---possibly 10gig e-mail boxes; with SSL, and corporate administration (and logging) of e-mail accounts (all accessible via the net through google).

Sorta like Internet based Outlook outservice.

on the other hand..

[plasm4]

While "Deleting E-mail Could Get You In Trouble," not deleting it. will make you blind.

The W solution

To avoid fishing expeditions:

Use no e-mail
100% effective spam-blocking, too.

Re:not-yet-mandatory-for-your-own-email

Governments and Corporations aren't you and me.

Speak for yourself. Who do you think works for the government and corporations? Kids?

What a lawyer told me.

[MisanthropicProgram]

I asked about how long to save emails and any other type of documents. He said to have a policy and follow it. In other words, if your company's policy is to delete your emails after two years, then there's nothing to worry about. On the other hand, if you're getting sued, having a gov't agency investigate, or think one of those things are about to happen, and you still delete the docs (even with the policy), you will have a problem.
BTW, I asked this a year ago, so I don't think that much has changed in the last year.

Good idea, with bad possibilities

Companies archiving company e-mail is okay in my opinion. But if the government wants to look through it, they better have a legit reason, such as if they have probable cause a crime has been committed.

Re:Good idea, with bad possibilities

[antispam_ben]

... if the government wants to look through it, they better have a legit reason, such as if they have probable cause a crime has been committed.

If you believe any of the conspiracy-theory hype, Echelon has already been saving this stuff for years. And by your reasoning, it's perfectly justifiable:

"We have probable cause that a crime has been committed [pic of a jaywalker, or maybe of the Kennedy assasination in Dallas], therefore we must save all email."

Re:Good idea, with bad possibilities

Anything over 7-10 years would definately be too long to save e-mail. I mean, if something has happened, they should have caught it earlier. But I don't know too much on this subject.

Re:Good idea, with bad possibilities

[antispam_ben]

Anything over 7-10 years would definately be too long to save e-mail.

That's why I save my email to CD-R's, to guarantee it won't be readable in 7-10 years. (!)

*sigh* who let the government in...

[jrockway]

I remember the good ol' days of the internet when it was a playtoy for scientists and computer people. Nobody knew what email was. Nobody knew what IRC was. I could send all the email I wanted and not get spam. I could even have my email address on my website!!!! I could trade files on IRC and nobody cared... it was normal.

Now we have the government telling me what I can and can't delete. Wonderful. /me thinks it's time to check out Freenet running over Internet 2 :)

Re:*sigh* who let the government in...

[VistaBoy]

Well, technically, it's not "Who let the government in," it's "Who let the public in" since the government created the Internet (ARPAnet).

VERY misleading summary..

The summary here seems to be implying that this has something to do with the government trying to get peopel to keep their PERSONAL emails. Read the article. That isn't the case.

This is simply talking about measures to force companys (and only them) to retain their internal emails. This way its hopefully harder for the CEO to say 'what funds? i don't know any embezzeled funds' after emailing his coherts about their plans.

Slashdot of all places should appreciate the fact that without a paper trail, corporate accountability is a pipe dream. This article is simply talking about trying to ensure that the paper trail exists.

No surprise.

[Black+Parrot]

This is hardly a surprise; the rules have applied to paper documents since forever.

If you've ever worked for company with a clue you surely encountered their "records retention policy", which is actually a "records destruction policy", since the general rule is that you are expected to delete everything as soon as the law allows you to. At places I've worked the managers made no bones about the fact that it was to keep damaging documents from coming out during lawsuits.

Industries already recording/archiving calls

[howardcohen]

Wall Street has been recording all phone calls to trading desks for years.

With data storage costs falling, and idiots being stampeded into surrendering privacy because of "terror", it's a no-brainer that this practice will spread.

Look for clever "hacks" to undermine this to crop up in the years ahead.

How can they tell?

Do they mandate that you use an email system that keeps track of deletions? If not, there seems to be a bit of a hole there...

ISP filters

[Anonymous+Writer]

My ISP filters out spam, as well as the Mail application in OS X, which automatically deletes junk mail after a specified amount of time. I never actually see the stuff. I suppose corporate email systems can do the same thing. Only real emails would normally appear in inboxes in this case, so those would be the ones that this article warns about deleting. However, if anyone wants to go through your emails and you don't want them to, flooding them with all the spam you get would be a way to hinder their efforts.

Recent poll tie-in?

[AnyoneEB]

This reminds me of this recent poll. Was this some sort of trick to get Slashdotters to admit they were doing something wrong? Did /. record the IPs of everyone who said they didn't save all their e-mails and delay this story until after that poll was off the main page?

company policy is the opposite

[prockcore]

I'm a little concerned about our company policy. I work for a newspaper and our policy is that all reporters should delete their notes after a story has run. This policy was created specifically so that reporters notes cannot be subpoenaed.

Re:company policy is the opposite

I'm a little concerned about our company policy. I work for a newspaper and our policy is that all reporters should delete their notes after a story has run. This policy was created specifically so that reporters notes cannot be subpoenaed.

What happens if the newspaper is sued for libel? They have no records to prove their telling the truth.

Re:company policy is the opposite

[CharlieG]

Well, that depends doesn't it? From what I understand about libel law (IANAL) in the USA, the party claiming libel has to PROVE the libel. In Great Britan, the party who is accused has to prove their statement

Re:company policy is the opposite

[0x0d0a]

The burden of proof is on the accuser. The defendant needs no records.

It might shorten the case, but they should never need them.

Oh great

[panic911]

At my work, we're using Microsoft Exchange standard edition (I think), which only limits your total mailbox to 16gigabytes. If you ever hit that 16gig limit you have to have everyone delete a ton of mail, then take exchange offline for a couple hours while you defrag the mail file.

We have about 150 users, so we hit that limit about twice a year which causes huge problems.

At my work, nobody can archive mail, unless they use a personal folder file (which stores the mail on their HD - meaning it doesn't get backed up).

I guess this law could become a problem for my co-workers -- oh well, screw em.

Re:Oh great

[ScrewMaster]

Might want to look at MDaemon as a replacement for Exchange.

Re:Oh great

You want Enterprise Vault from my old coworkers (from when they were at DEC) from
http://www.kvsinc.com/

Doesn't the government do that for me?

[cockroach2]

I think it's called echelon...

Re:Doesn't the government do that for me?

I think it's called echelon...

I thought the government e-mail monitoring system was previously called 'Carnivore', and is now called something like 'TerroristJustification'. ;-)

Does this mean....

I am supposed to archive all the spam, viruses and other junk that gets through my filters into the company email?

Re:Does this mean....

[Anne+Thwacks]

Maybe we can save everyone a heap of trouble: forward all spam to the IRS instead of saving it.

Just the contrary

[Alex+Belits]

If anything, this is a good reason to have a policy of ALWAYS deleting email after a short amount of time.

Not to mention, I want to see, what kind of standards are applied by the courts to verify the validity of email -- most of it is not cryptographically signed, and mail storage is almost never handled in a tamper-proof way even if it is somehow possible to verify the origin of the message.

Re:Just the contrary

[1u3hr]

If anything, this is a good reason to have a policy of ALWAYS deleting email after a short amount of time.

A few years ago I took my former employer to court for late payment of wages. Against his claims that I had agreed to being paid late I produced printouts of emails I had sent over a period of two years complaining about this. So it would have been a good company policy, but not necessarily in the interests of the staff when they are in any dispute with the company, or are being set up to be the scapegoat for some transgressions of the bosses. If any of your team are caught or killed, the Secretary will disavow any knowledge of your actions. This tape will self-destruct in 10 seconds.

Actually I had backed up my entire email correspondence for almost 10 years into one zip file of about 20 MB. That's lot of correspondence. The average message comes in at about 2-4 kb. I think now with the current fashion of using HTML mail, or even worse, attached DOC files, the average is at least 10 and perhaps 100 times that now. I understand Outlook stores all your mail in one single binary file of undocumented structure, mine is in Unix MBX format. Given all that I'd guess that the vast proportion of email storage is huge slabs of [div][font Arial Helvetica size=2] [/font][/div] and so on. These days for my personal email I strip it back to plain text before archiving it.

ease off the panic button there, Buck Rodgers

[SuperBanana]

I remember the good ol' days of the internet when it was a playtoy for scientists and computer people.

...and nobody used it to conduct business, especially financial matters.

Now we have the government telling me what I can and can't delete.

The government has always told certain categories of businesses that certain things must be saved. My friend who is a private, fee-based financial planner/advisor, has to keep all emails and a call log (don't remember with notes or not) when it concerns a client.

For companies, fine ... for personal e-mail, no

[hattig]

I think that this is fine for company e-mail, but it shouldn't be an option for personal e-mail.

If you are at work, you shouldn't use your work e-mail address for sending or receiving personal e-mails. Quite hard to enforce though. Instant Messaging has taken a reasonable amount of the small e-mail market though, and it does have a lot less spam issues to contend with as well.

Important e-mails like "sell those shares in XYZZY tomorrow, I've heard that they're doing badly, on the grapevine, like" should not be deletable though, so that illegal insider trading type scenarios cannot occur. OTOH why not a phone call with the same information?

Basically, you have to consider that anything that goes through a computer system can and will be recorded for a long time.

Re:*sigh* who let the REGULATORS in...

[jrockway]

I knew someone would point this out.. what I meant to say was "who let the REGULATORS in".

if you want to use email..

[gl4ss]

like real MAIL(equivalent), then it's a no brainer that the same restrictions/rules apply...

of course, there's these people that seem to think that just because something is 'electronic' none of the earlier made laws or rules apply..

some institutions just have to keep records of what they communicated with others or what was submitted to them, it being a formal phone call inquiry, a fax(which is not that far from email anyways), email or an email printed on a piece of paper and mailed through ups courier having little to do with it being an official paper needing to be logged.

you don't like bureaucracy with certain rules at all? make your own nation that can act without it and be effective at anything.. then you can really have 419's fraud-stories that are actually real.

Tightening the noose

[Dr_Marvin_Monroe]

I'm not really opposed to this, and it does seem to be in direct opposition to a lot of "company e-mail policies" as it's written too.

I dont think that companies should get a pass on these types of written correspondences. These days, it's just too easy to hatch a "dominate the globe" policy at the corp. level and then eliminate the evidence through a "document destruction policy" like those at Arthur Anderson/Enron/MS/etc.... I've seen a clear policy of "destroy everything" with regard to e-mail and written transactions at almost every company I've been at. Seems more like the policy is geared towards eliminating any incriminating evidence rather than simply keeping space on the server to a manageable level. That's too bad, because I've seen some smoking guns that SHOULD be loosed on the world.

On the other hand, these types of policies are instituted because it's just too easy for lawyers to get ahold of those records for the purposes of "fishing expeditions," think SCO and their associated scum. Lawyers can just come in with the vague outline of some scheme and get all of a company's e-mails to help create a real case where none existed before. The cost of handing off an entire archive isn't trivial, and discovery is just too easy to do.

Whatever the outcome, it just seems like you and I (read the little guys) will have ALL of their e-mails "go down on our permanent records" while the big guys will always seem to have a good excuse why the mail server suddenly destroyed all the records for that pending lawsuit. I can just hear the lawyers now...."..yeah, it's funny how only the VP's e-mails dissapeared, and only for a 3 month period, but we've got him on a special server that's set to explode in flames every 90 days."

I think that this type of national policy will ultimately hurt the little guys/companies more than the real targets of such legislation. The big guys will just start having oral meetings without taking notes or some such method of non-trackable information sharing.

As with all government intervention, the "quick-fix" is never really that quick, and the problem is almost never fixed.

My company *requires* me to age out email

[flingylingy]

Seems apropos. My company, who I can't name for reprisal purposes, is a fortune 10 company. We have a policy that any email must be deleted after 30 days. No backup of any electronic means. However, *paper* archive is fine, and is the only approved method of maintaining email over 30 days. It's insane. What my colleages do is zip up our outlook folders, encript, rename, and save to "safe" backup folder to let our system save it on tape/dlt. If I ever need an important "pearl harbor" file, then I can request an old renamed, zipped backup, and then pull it. I've done it once.

The main reason for this is that the lawyers waaaay up there in the chain got really afraid of the Enron type email digging, and released the policy of "destroy, good or bad"

It sux.

PGP emailing

[screwedcork]

I really wish that PGP signing/encryption of email would become a lot more commonplace... do you want to be prosecuted for an email that you didn't send? Email is, obviously, very insecure... on the other hand, you can't deny that it you sent if it's convenient :-D

Another question: What if the government wanted to read an encrypted email? Would they demand you turn over your private key?

I find it interesting...

[bigattichouse]

that its not that big brother is recording our emails - they realize they can't.. so they make it law that we have to spy on ourselves by saving emails. So, If I delete my own emails - can I plead the 5th amendment? But, forcing my employer to spy on me, now that is an interesting work-around to the 5th. Not one I like, just interesting.

Re:I find it interesting...

[Ghostx13]

Actually, you probably need to read your companies TOS for using their systems. Most likely they will state that you have absolutely no expectation of privacy when using their systems. Even if your company doesn't have an offical TOS, when your using ANY computer service that you don't own you don't have an expectation of privacy, unless explicitly stated.

The 5th amendment simply states that YOU don't have to testify that you've done something thats illegal. For instance a DA could subpoena your tax records and your employers payroll to prove that you're commiting tax fraud. They could not however force you to SAY that you've commited tax fraud.

Also, anything that is written (electronically or other wise) is not specifically covered by the 5th, even if it is something private, like a journal or a diary.

The laws regarding expectation of privacy are quite interesting. I would reccomend that you read up on them, as quite a bit of the time you have absolutely no expectation of privacy.

Google "expectation of privacy" and you'll get lots of good info.

I think I'll stockpile old phone equipment

[Dr.Zap]

Next they'll ask us to keep recordings of all our phone conversations?

Including metadata. Anyone still want VOIP?

Re:I think I'll stockpile old phone equipment

[base3]

Logging of metadata isn't new. Endpoint logging has been stored on AMA tapes for decades with POTS. Yes, including local calls.

Re:My company *requires* me to age out email

[jyoull]

you should be sacked for not following this policy. it's not your place to override something like that, potentially creating all kinds of liability and not just in terms of "catching" teh company trying to do something bad to you

The Government can do it for you

[totierne]

The Government can keep all email from and to headers without a subpoena. I am not sure if they can keep the contents and only look at it years later when they get the subpoena, i.e. you are connected with someone who does something interesting, or maybe connected to someone who is connected to someone interesting.

It is only a matter of time.

[Is refering to 6 degrees of separation redundant. Well I am Irish, to be sure, to be sure.]

Slashdotters at risk

[Dr.Zap]

The Slashdot sysadmins (Slashmins?) are keeping records of our posts (including metadata?)

screw 'em & the camel that rode in on them

[Almost-Retired]

As a now private, more or less un-employed and semi-retired person, most of my mailing list activitys are recorded in the various folders my email agent maintains. But, part of that maintainance in most cases is an expire date. I keep mailng list messages only for a couple of months, then they are automaticly gone as basicly their contents are no longer valid anyway.

Not only that, but what the hell has happened to our basic 1st amendment rights. Or the rest of the Bill of Rights for that matter.

I think its way past time we found an honest man for the white house, one who would uphold the constitution instead of figure out ways to feed his buddies ever more government contract monies without actually putting it out to bid.

Unforch, politics and religion have this commonality. As the devil said when God threatened to sue to get an engineer back that was sent down by accident, "And just where are *you* going to get a lawyer?"

Seriously, we need a "D" option on the ballot, for none of the above, thereby forceing a fresh start at finding a suitable candidate, one crazy enough to want the job, and still honest enough to try to fix the congressional excesses of the last 30 years.

You don't like my message? Then don't post, but get off your ass and be a part of a democracy, register and VOTE dammit! Then send a message to the winner saying that you expect him to do the job he was elected to do.

Cheers, Gene

not practicle

[JDizzy]

When I worked as a Unix guy at Computer Associates, who fired me for reporting them to the BSA, I fondly remember being told that CA policy was to delete all email off the servers after a period of 90 days, and that no email server was to *EVER* participate in the enterprise backups. In other words, if any email server had a failure which resulted in data loss, that data was gone, and the hundres of affected users were down shit creak with no paddle. I was informed that this policy was enacted several years previous when the SEC busted down the doors and seized the emails servers looking for some evidence against the company. So CA simply made it so no email is ever kept on any archive, less it be the users own personal archive on their computer terminals. Even then, most users would have to delete emails in their own archives to cope with space issues. So enacting laws that requires companies to retain an archive si a bit silly in my experience. Also, what would happen if a company retained an archive of email, but encrypted the mail data-base, and keyed it on the users password? Would that violate the letter of the law, or the spirt, to retain the emails in a cipher-text format. Certainly you could get a court order to force somebody to provide the password, right?

Just thinking outloud here...

Thanks.

Re:not practicle

nice guy - reporting the company... did it profit you any?

note to HR - don't hire any ex Computer Associates guys - they may not be trustworthy...

Re:not practicle

[ArsenneLupin]

When I worked as a Unix guy at Computer Associates, who fired me for reporting them to the BSA,

Hey that's funny. Usually it's the other way round: employees report their employers to the BSA, for firing them ;-)

Re:not practicle

[bar-agent]

The poster was at Computer Associate's Soviet Russia office.

periodic file review & document retention poli

[spoonyfork]

I can't imagine a business that has to deal with lawsuits, legislation, and government regulations not already having some sort of periodic file review in conjuction with document retention policies. Business-related documents should kept for a period. At the time of periodic file review the company should provide a list of document retention orders so that relevent documents are not destroyed if associated with legal actions, financial records, etc. I don't see it as Big Brother. I see it as keeping shiznit wired tight so companies can CYA -- assuming everyone is doing their job right. If there is neglegence/cover-up/criminal actions, get it dealt with. If not, provide evidence that proper procedures are being followed.

Just have a retention policy...

[SmurfButcher+Bob]

...and follow it.

For emails, ours is "relevent life". Upon becoming irrlevent, it gets whacked.

If someone later orders you to produce email, you'll probably not have it. If you can show that you didn't delete it as a result of the order, or in an effort to destroy evidence, you cannot be prosecuted for not having it. A retention policy is key to this, because it eliminates any arbitration regarding when (or why) something was whacked.

Wait a moment...

[lesv]

What about all those business propositions I get from Nigeria. Do I have to keep those too?

You should probably delete them, so that when they turn out to be true, you can't be sued for corporate malfeasance for not having responded appropriatly. :)

Ask Oliver North

Seriously. He thought he was deleting his e-mails but when they disapeared only from his machine and not the central server it became obvious what had happened. And which ones were the "good stuff." So if your company backs up data- you're boned.

An tech support is the loser.

[argent]

I've already run into situations where I couldn't get documentation or software for devices only 4 or 5 years old because it had all been trashed according to the vendor's records retention policy.

Re:My company *requires* me to age out email

[anubi]

Unfortunately, in this day and age, employees who don't cover their ass are the first to end up on the street when the companies "right-size" themselves.

Its why plants in adverse areas grow thorns... cause the animals eat those who didn't protect themselves from the predators.

I speak from experience.

Trust me.

so?

[Luke-Jr]

I complain when people delete emails anyway...
I have every email I received over the past 5 years in my mailbox (with the exception of some spam, though I have a lot of that too since it's automaticly put in my Spam folder)
My maildir only uses 650 MB (150 MB compressed), so it's not like space is a reason to delete email... People just need to make folders and use them. :)

How about PGP encrypted mail?

[bigberk]

Let's say you receive an OpenPGP (PGP, GPG) encrypted email which requires your public key to decrypt. Once your key expires you're going to switch to a new key. Even if you're good at keeping old legacy expired keys around, eventually the message will become unreadable (forgot passphrase etc.) I don't know where I'm going with this mind you

Re:How about PGP encrypted mail?

[JKR]

In the UK at least the R.I.P. (Regulation of Investigatory Powers) bill makes failure to produce decryption keys a criminal offence.

Jon.

Re:How about PGP encrypted mail?

[thelaw]

But if you don't have the key anymore, as per the parent, you can't produce a key you don't have.

jon

Re:How about PGP encrypted mail?

[DreamerFi]

In that case, in the UK, you're in trouble, because you are breaking the law. There was a really hilarious example when some reporter sent an encrypted document to the government puke who was introducing this law, carefully done so that the encryption key was deleted and unavailable. This was indeed to point out the insanity of the law...

very easy, reasonably cheap

[mattyrobinson69]

pass all corporate email through a proxy. the proxy could easily store every email in sub folders by employee>yyyy>mm>dd> (let the IRS sort through it if they want it). this could be made cheaper if its stored on a compressed file system (reiser4 with a bzip plugin when its ready, because there wouldn't be that taxing on a cpu dedicated to bzipping mail).

this would also save money if all mails were passed through a virus scanner and all viral attatchments removed before reaching the network proper.

i would have thought companies would want a log of all emails anyway to find out who's wasting resources on emails such as "john, pub at lunch?" and such.

Forget regulations, it's a good idea anyway

[IGnatius+T+Foobar]

There's enough backstabbing and blame-shifting in modern business that it makes sense to keep emails around anyway. I frequently delete the ones that say "ok, thanks" or something equally as insignificant, but I also keep a "CYA" folder for things I may need to throw back in a customer's face later on when they claim they asked for something different, and I also never empty my "Sent" folder so when the boss comes storming in with a "Why didn't you..." rant, I can pull up the relevant email and say "See, I did."

This should be pretty obvious to anyone who's had a job with email for more than a couple of months. I used to be a good server citizen, keeping my mail store usage nice and tidy, but not anymore.

geesh

[davidwr]

There's better ways to do records retention - this thread abounds with examples.

Besides, if I forward an email to myself on day 29, does the clock start over?

What if I print it out and scan it back in, does that stop the clock?

Silly USA

[Mister+Liberty]

Land of the Free (How much longer
are you guys and gals gonna put up
with this Kafkaesk silliness?
Everbody's a suspect unless
proven unguilty.
The truly guilty -- their heads
should roll, their mouths not smirk.
Yet hope there is --
again be free,
be brave, American!
Crush those sinister powers
that be), Home of the Brave.

This is very common

[jhylkema]

A big part of a lawsuit is discovery. FRCP 26(b)(1) provides that:

Parties may obtain discovery regarding any matter, not privileged, that is relevant to the claim or defense of any party, including the existence, description, nature, custody, condition, and location of any books, documents, or other tangible things and the identity and location of persons having knowledge of any discoverable matter.

In other words, lots of stuff in emails is considered fair game for discovery. Failure to produce it, or destroying it, subjects the party to severe sanctions, up to and including "rendering a judgment by default against the disobedient party." So, what they're saying is, deleting emails could constitute willful failure to disclose in the event of a lawsuit and could result in those sanctions.

Re:This is very common

[Mister+Liberty]

Very nice you sing the authority's tune, but if I were an American I'd opt for the sanctions rather than assuming myself guilty beforehand.

This is not only a case of big brother...

[Orne]

I would like to point out that it is not only "big brother" (aka the government) who is driving the data retention policies... it's the litigation brought on against private industries, in order to determine fault for civil cases.

When it comes to Enron or Big Tobacco, we'll embarrass them, put their statistics in commercials, their phone coversations on the evening news, just so another group can turn around and start civil suits against them. Our society seems to have this drive to find out exactly who was in the drivers seat when decisions were made, down to Who sent what email When to Whom... yet we still allow our governement representatives to take "voice votes" so we don't know who voted on what laws? You would think that that's something we want to hold people accountable for...

I don't think Bloomberg trades

They make trading systems and information systems. But unlike Bear Stearns, I don't think they actually are involved in trading and thus aren't subject to SEC requirements.

Meta-data costs more to save?

[Todd+Knarr]

I think Mr. Ellis needs to go get an independent consultant to double-check the software contractor's results. If users are just filing e-mail, then saving meta-data should be automatic. All the e-mail programs I use commonly that let me file messages in folders (Pine, Evolution, Mozilla Mail, Thunderbird) save the complete SMTP headers with the meta-data in question automatically. If the company Mr. Ellis is getting his "solution" from charges extra for saving what's commonly saved automatically, they're probably gouging him on more than just that.

a question would be

[forgoil]

When will it be illegal to not have a valid email address?

Yes you can!

No, there is a clear legal standard on document retention. You do not need to keep documents if they are not needed for a business purpose unless you have been notified of an existing legal investigation. So you can destroy drafts of any work and clean out old work at your descretion. However you cannot go back and catch up on your cleaning up if you become the subject of a legal investigation.

E-mail Archiving

[ardinos]

I own a small company that among other things helps implement e-mail archiving systems for compliance. Some information:

1. The archiving of e-mail applies only to company e-mail. ALL e-mail inside a company is considered to be owned by the company and is NOT private! (If you check your AOL account at work and it's not blocked this isn't company mail.) If you're using your work e-mail you have no privacy. As to spam, not spam etc. If it's caught by a spam filter at the firewall and the user doesn't see it it's spam and doesn't need to be kept. IF it makes it to the user, it isn't spam, (even if it really is;)

2. There are specific regulations applying to trading firms, (such as SEC 17a-4 and NASD blah,) but more general legislation such as Sarbanes Oxley can also be interpreted to apply to archiving and making searchable electronic records such as e-mail. This really isn't any different than keeping memos or other paper records that have been generated in companies and kept in archives for years.

3. Having a policy for what to keep for how long as far as electronic records is good, but it's not the whole battle. You need to document why you choose a given amount of time to keep a record, how you kept it, (can it be altered? Can it be eraseed without anyone knowing it?) How you're auditing those records. (E-mail was deleted after 7 years, prove it!) And how you can prove nothing was lost. It's just doing your homework.

4. This is all actually an opportunity for companies to save money, right now, most companies keep everything the employee doesn't delete until they leave and the account is deleted. Why keep potentially damaging information that's taking up space and costing money for storage if you don't have to? Also if a company is sued and an employee is for instance accused of sexual harassment through e-mail, it's an easy matter to check isn't it? It'll stand up in court, something e-mail wouldn't do if it isn't really being turned into a record.

Not in the state of Washington...

[Eric+Damron]

"Expensive measures are being called into place to archive the mail for future subpoena purposes."

I work for the State of Washington. In this state's government there is no problem deleting email as long as your department has a written policy defining the retention time for email.

Email is covered by the freedom of information act which means that it is not hard for an average citizen to request copies of email sent and received by the department. There is a procedure, fee and waiting period that discourages someone from coming in and requesting all mail during the retention period. It could be done but it would be very expensive. Not really worth it for someone on a wild fishing expedition but doable for a citizen that wants specific information..

If we receive a subpoena for email that was sent or received within out written email retention policy we had better be able to produce it. If we can't the requesting party could conceivably compel us to hire a very expensive data retrieval company to come in and reconstruct our data in order to comply. And of course if the courts believe that we deleted email prior to the retention date in an attempt to destroy evidence there is a chance that someone could be spending some quality time as Bubba's new love toy. If you know what I mean...

Re:Not in the state of Washington...

[Forbman]

I agree. I worked in the corporate office of a major pharma, and the computer people there did have the need to slurp all of the data off of a couple of hundred computers as part of discovery for a lawsuit against one of the company's products who might have been involved in issues about the product. It cut across all lines - the product division, various corporate departments, etc.

Some of the retention periods mandated by the FDA are pretty...extreme. They can go into all media related to a product as well. The company I worked for had quite the huge warehouse for retaining this stuff.

And, as this has come up, short of laws in certain businesses requiring a mandatory retention period, as long as the company policy said, "all remaining e-mail messages on corporate servers will be deleted daily", and it was not easy to save messages, then deleting e-mails was OK.

It is all in the policy. Which is why everyone was strongly urged, in computing print media, to set up corporate e-mail retention policies NOW, because it's too late after you've been subpoenaed.

Not Monicagate, Iran-Contra

[kalidasa]

Expensive measures are being called into place to archive the mail for future subpoena purposes. Think Enron on one hand. Think Monicagate on the other.

The Lewinsky thing centered on a soild dress; that was the smoking gun, so to speak. The presidential scandal in which archived email played an important part was Iran-Contra (think of Ollie North shredding all those files, only to have his email correspondence with Poindexter used against him).

Whew boy...

...I'm glad of this. After having just worked for several years for a company with a "document retention policy," (corporate jargon for "we delete your email for you after two weeks"), it's clear that companies are out there running the equivalent of digital paper shredders night and day to prevent any chance that any of their illegal activities might ever be discovered.

Biometrics

[illumina+us]

I think it won't be longer passwords but a unique key assigned to you or generated from you such as a thumb print or retina image coupled with a 8-12 character password -or- two short passwords which change at different times.

For future subpeona purposes?

[istewart]

You've got to be kidding me. Are we all supposed to live under the threat of legal action? I don't give a shit about some lawyer or overpaid legal advisor telling me that it's to protect myself from liability... My business practices should not be centered around litigation. What the hell has this country become, and when is it going to change back? I better be careful, this message expressing subversive opinions may someday be used against me.

Re:For future subpeona purposes?

[BCW2]

Sad but true. Just one more truth that the shysters have too much power.

Lawyers should not be allowed to run for any legislative body, it's a conflict of interest. They go to Congress and write laws in language so convoluted that it guarantees themselves and their peers perpetual employment translating that crap into English.

Workaround

[DMUTPeregrine]

A simple workaround: Encrypt all e-mail archives. Delete the key pair. Now, they didn't ban deleting key pairs, just e-mails. OR, store the mails, then repartition the hdd on which they were stored. Easier to get them back, but still nothing illegal and a good way to hide it.

Saved Email: A Security Blanket or a Liability?

[ElDuderino44137]

I have to agree with you,

Still.
I did a quick google search to see what I would find. The University of Washington seems to think this topic is important enough to have a set of web pages devoted to guidelineing eMail destruction.

It seems that if you keep it too long you're hanging your self when a public records request comes along. Excerpt below:

"One person at the UW whose email was recently requested had 45,000 messages; another had the equivalent of 1.4 million pieces of paper. With this kind of volume, responding to a request is time-consuming and expensive."

They go on to advise:

"The key is to organize your email so you can delete it in a timely manner. Keeping all your email has costs, as does deleting email too soon. It is worth learning which messages should be kept and taking the trouble to save and delete them systematically."

The fact that a university has a "Records Retention Schedule" should be of no surprise. But it still gets a bit of a chuckle out of me.

It's an amuseing read:
http://www.washington.edu/computing/windows /issue2 8/saved.html

Cheers,
--The Dude

Where do you get all the space?

[songbo]

Give me 10 gig of space, and I may consider keeping all my mails in some kind of archive. Heck, give me 50 rooms, and I may print out all the emails, together with whatever attachments that come out, file them, and store the files somewhere. Of course, we'll probably kill many many trees somewhere along the way, but it's all for the sake of keeping our records properly.

Re:Where do you get all the space?

[wayward]

We have space issues too, and storing unimportant email seems stupid. Do I really need to know about the organization-wide ice cream social two months ago? There's been some comparison to paper mail, and a lot of that gets dumped in the recycle bin too.

Pooh booh and fuckem

[mickwilson20]

ohh, really tricky, this. Let us keep forever in bound (electronic or leather) pertfolios all that which we do. Better yet! Let u srespond with 'narf' to all penis enlargement or viagra offers. let us dutifully file all the robot responses in an auditable manner. hooo-fckn-rah... BB can choke on the overload and let us let the Fort meade just keep chewing terabytes. Innocuity will always win over purpose, as the anarchists and socialists of europe realized over 100 years ago.

Line noise.

Well, it's easy for me. The only password I really have for my server is the root password, the only way I log into the root account is via SSH. So I basically set my password to 96 digits (IIRC) of line noise, and use a 4096 bit RSA key for authentication.

ND

Re:Line noise.

Now aren't I a fucktard... I posted this in the wrong article.

I save ALL my email, just as I state...

[antispam_ben]

... in my very own personal Privacy Policy page.

Eh?

"When I worked as a Unix guy at Computer Associates, who fired me for reporting them to the BSA"

1) Aren't there whistleblower statutes to stop such things?

2) Isn't CA a *member* of the BSA, or am I seriously confused here?

*boggles quietly*

The IRS

[Jorkapp]

You never know what an IRS agent might find lucky

Someone who fills out their income tax return perfectly?

not reasonable to archive emails our companforever

we went through this at the company I worked with where we sought legal opinions from several sources.

If you routinely delete emails rather than archiving them and cycle your backup media on some regular basis you can certainly legally erase your emails without worry.

Think of the parallels with other things in your office - do you keep duplicates of all things you photocopy? Do you store copies of all regular mail you receive? Do you stash away everthing in your waste baskets each night? - of course not.

So, get your policies written - regularly cycle your backup tapes, and if you want to delete emails then delete your emails - the only difference is that you may specify that particular people - those who have direct contact with clients and suppliers - make arrangements to store emails for potential litigation purposes - but put it all in a well written policy book and do it soon.

Where did the e-mail in my inbox come from?

[j741]

So if we save all our e-mails for future legal purposes, the e-mail probably would not be valid evidence anyways. I mean think about it. I get dozens of e-mails per day that come from a phony or 'borrowed' e-mail source address. How would the e-mail be verified as ligitimitate, and not a fake? Come on, If you can't track down all the spammers (or virii) from the hundreds of messages per day in everyone's inbox how can you expect to tell me that CompanyX actually set me that message in my inbox offering me money for free? - James.

5th Amendment...

...protection against compelled self-incrimination only applies to persons.

Corporations are not entitled to that 5th Amendment protection and if a corporation posesses any incriminating information in paper or digital form, it can be compelled to produce that information into evidence before the court.

Thank Gad!!, I have done all deleting already:-)

Looks like the guys who need this more did all
the clean up before coming up with this ;-)

Punitive damages and class-action bloat!

[0x0d0a]

What the hell has this country become, and when is it going to change back?

The problem is that the US has punitive damages, and generally no caps on said damages. It also has class action lawsuits with no caps on attorney fees (there should be *flat caps*). The initial point of this was to rein in out-of-control companies, but it has horrendously backfired. Now, a huge amount of our business overhead results from attempts to compensate for ridiculous legal concerns. My disposable coffee cup each day has a molded plastic top with a huge blurb of text right in front of my eyes when I'm drinking that reads "WARNING! SIP WITH CAUTION! CONTENTS MAY BE HOT!"

In general, I do not believe that this has been a net win for society. We spend a huge amount of time in businesses doing stupid things to avoid legal problems. Many useful things that a company *might* do to help someone (like offer advice from their helpdesk with solutions that aren't on the "script" when the "script" has been exhausted and can't help anyone) are now avoided for fear of litigation. We see class-action lawyers (such as for the tobacco lawsuits) sucking down *huge* fees, on the order of hundreds of millions of dollars. The result has been flat bans on litigation (which, in my opinion, should never, ever be done and should be unconstitutional -- the lawsuit is the way our legal system allows a citizen to demand reparations). Now, a citizen cannot file suit against a food company for food "making them fat", and came close to not being able to file a lawsuit against tobacco companies (thanks to John McCain and Clinton for shooting that down). I'm not saying that either of these lawsuits would have merit, but the idea of banning lawsuits is appalling, and the idea of taking control of whether a lawsuit is reasonable or not from the judicial branch is particularly egregious.

Whistleblowers are our friends

[0x0d0a]

nice guy - reporting the company... did it profit you any?

Actually, I'd say he is. If you define "nice" as "willing to take personal cost to benefit others (in this case society)", I'd say that he pretty much falls exactly into that category.

If "nobody likes a snitch" then perhaps everybody should stop breaking the law at their company. Frankly, I think it's too bad that we can't reward whistleblowers even more.

But IT is the winner

[0x0d0a]

This puts IT in a very interesting position. They are in a position of extreme trust. A ranking IT person that "goes rogue" could probably get all of the email of the company, as well as other files. This means that it may be worthwhile to pay the IT people that you grant full control over your systems well to minimize the risk of them turning on you. The same thing happens for CEOs -- lots of pay, since the damage they can do is phenomenal.

Re:But IT is the winner

[argent]

You think? That would explain why secretaries are paid so well, then.

I record conversations.

[hashwolf]

I do not only archive my important emails but I record my converstaions with other people as well.

I have an MP3 recorder running in a loop all the time in my pocket. Whenever I have gone through a particularly important conversation I save it on my laptop, and then finally on CDROM for future reference. In future, if the technology becomes affordable, I would also like to record whatever I see too (video)... meanwhile I take pictures with my digital camera. In order not to piss people off I don't give it away that i'm recording everything.

Such recordings can be very useful when assholes 'twist' what they have said in order to save their ass and put yours on the stake.

Hey everyone, I just deleted 23 E-mails!

[Mr2cents]

..but then again, I like to live dangerously..

Re:not reasonable to archive emails our companfore

[gui_tarzan2000]

Not reasonable? I agree. Some government agencies like public schools are required to keep certain documents a loooooooooong time. We have to keep student transcripts for 100 years. Yes, file cabinets sit in an office taking up valuable space holding paper transcripts until long after most of the people are gone from the planet. The way things are going I don't see it getting better, I see more and more of these types of rules coming.

A possible solution

[Jonny_eh]

Check out http://www.educomts.com for an email archiving solution. It's pricey, only works with MS exchange, but its likely quite worth it for large corps.

Delete

[CelticWhisper]

Oh, that's okay. It doesn't matter if I delete a message-my friendly BOFH keeps our entire employment history's worth of E-mail messages on backup tape...whether we all want him to or not.

Suffice it to say, it's more for his own reasons than reasons of secur...oh my god, here he comes! I have to go, right &NO CARRIER

Re:Delete

[pfleming]

Not too terribly long ago a company that I provided email and web services to, decided that I should provide them old email. They started out by asking for email from a single user for a time period far longer than the 14 day backup rotation that I was using. Mind you, the 14 day rotation was based on data that existed at the end of the day. Anything that came in, went out, or was deleted before being held overnight was not included in the backup. The company subsequently made a 'midnight move' to another server and couldn't get email from my server- funny how DNS propigation works. They asked for their email. I sent them their $HOME/mail folders (they had been using IMAP) in a nice zip file and sent all mail hanging out in the mqueue.
Then they asked for the email in a 'usable' format- two months later. They also asked for what amounts to a dump of their email address list.
Back on topic- if they had written and maintained a retention policy of some kind they would not have been asking me for email that would have been deleted by their users on a regular basis. I probably would have also had some kind of archive as it passed through the system.

This is why....

[IncohereD]

Nobody follows the official retention policy. Not with PHBs constantly denying that they authorized a project or made a decision or whatever...

My manager has a great policy for dealing with people who don't ever respond to e-mail requesting decisions - send them an e-mail saying "This is what we're doing, reply if it's not okay". And keeps a copy of it, knowing full well they never reply. Instant paper trail. Great for CYA.

What's the BSA?

[wayward]

Potentially stupid question, but what's the BSA? I keep thinking "Boy Scouts of America."

Re:What's the BSA?

[chmod000]

Business Software Alliance.

Open Question: Send Spam to Congress?

[meaje63]

Ok so we all know that government entities now can no longer delete what they consider spam, so my open is can we use this to help congess / lawmakers see the spam problem for what it is? My proposition is to have a large segment of the IT community batch and send their Washington representitves their daily bulk mail with a polite note explaining a want / need for change in legislation reguarding opt-in versus opt-out as we have currently. Something like this could be used as a tool to even influence the spammers themselves if anyone could actually gain access to their addresses.

Re:Open Question: Send Spam to Congress?

[g0bshiTe]

[blockquote]Something like this could be used as a tool to even influence the spammers themselves if anyone could actually gain access to their addresses.[/blockquote]
They are probably smarter than us, and do not use any form of personal email account.