The Downside of Email Disclaimers

Many organizations like to append disclaimers to their outgoing email messages. These are often full of delicious legalese instructing anyone who may have received the message "by accident" to delete it.

As we've said before, they're usually a waste of time. But there could be a worse downside than mere time wasting.

Any standardized, boilerplate text is a godsend for a malicious network sniffer who's hell-bent on stealing your secrets. Imagine you are trying to commit corporate espionage by tapping into an ISP's network and watching all the network packets go by. It would be like drinking from a fire hose: very difficult to select the packets containing email text from the organization you're targeting. However, if you knew that organization used a standard disclaimer, you could have your packet sniffer search for packets containing that text. It's likely it would pick up a very large proportion of the messages you're interested in.

Of course, your organization should be using email encryption for confidential information wherever possible, but a surprising number don't.

... Richi Jennings, with thanks to Bob Janacek from CertifiedMail for the inspiration

One Comment

  1. Posted October 30, 2006 at 7:35 AM | Permalink

    How true! I never could understand what inspired people to add these so called disclaimers to the bottom of emails. I find them to be annoying and they add no value whatsoever. What’s even worse are when each reply from that person also includes the disclaimer and just clogs up the email message more than need be. Next on the annoyance list are images…

  2. Posted October 30, 2006 at 1:15 PM | Permalink

    I think sometimes people view using email encryption software like taking their vitamins. Everyone says it’s good for you and you know it’s good for you. However, actually getting into the habit of doing something that’s good for you is another issue.

  3. Paul Fletcher
    Posted October 31, 2006 at 5:05 AM | Permalink

    Surely if you wanted to sift out messages from a particular organisation it would be much simpler to look for “From:” than to look for specific disclaimer text? The format doesn’t change between organisations, the text appears at the *start* of the mail instead of the end (so you can pick up the rest of the packets in this tcp session), and with a small modification you can pick up messages going *to* the organisation as well.

    Don’t get me wrong, I don’t like disclaimers either, but I really don’t see this as a reason not to use them!

  4. Jim Adams
    Posted November 1, 2006 at 2:27 PM | Permalink

    I agree that disclaimer language such as “if you are not the intended recipient” automatically separates business email from spam, similar to tagging it with red flags as they march across the internet like a post card. (strike 1) After all, when’s the last time you received a spam message with this disclaimer. (strike 2) And anyway, the disclaimer is added to the end of the message, so if it was read by the wrong person, they’re been warned after the fact. Bravo lawyers, strike 3, you’re out!!! Now, how about taking our heads out of the sand at start looking for some good encrypted email systems!

Post a comment

You must be logged in to post a comment. To comment, first join our community.