Archiving “Drafts” Folder Important for Compliance

If you care about compliance, the "Drafts" folder in your Inbox needs to be archived.

Archiving vendors take several approaches to email archiving. Some access mailboxes via MAPI and pull items out into the archive. Others intercept SMTP traffic and journal a copy into the archive. Others copy the database transaction logfiles ('log shipping') and rebuild the email database for archive reasons.

Journaling only captures what has been sent. MAPI and log shipping capture the Drafts folder.

This story on CNN contains a nugget about why archiving Drafts is important. "A Yahoo! e-mail account was set up so the men and militants could communicate …. E-mails were never sent from the account, but people would leave messages in the draft folder and delete them after reading."

Whenever a law or compliance regime exists, people will try and get around it. Archiving Drafts is necessary for compliance.

... David Sengupta

One Comment

  1. Posted December 14, 2009 at 5:28 AM | Permalink

    Taking this to its logical conclusion, then every keystroke executed on every PC would be subject to compliance. Consider some text that one types into Notepad and leaves open on one’s desktop, without even saving it. Somebody else might open a remote desktop or VNC connection to the same machine and read the text. Therefore the non-saved text is actually a message, therefore by your theory it must be archived, but the only conceivable way to do that would be by logging and archiving all keystrokes in real-time.

    This is impractical in so many ways — not to mention probably being a violation of laws that protect worker privacy in some countries, but let’s imagine for a moment that it could be done. How, then, would one separate these “messages” from simple data that is seen by nobody other than the person who typed it? This is an important consideration not just to reduce the storage burden of compliance archiving, but also to eliminate the possibility of accidental disclosure in discovery of information that is senstive but not actually subject to discovery, not to mention the possibility of disclosure in discovery of information that has the appearance of being a message but actually is not! Note that tracking user logins and coordinating that information with the keystroke data would not be an effective way to determine what is a real message and what is not, because people who are trying to circumvent compliance archiving would simply share their login information with the people they need to communicate with, making it impossible to know from the logins who (or even how many different people) actually saw the message — which is exactly what the CNN article describes in the context of the Yahoo mail account.

    Note: I work on a compliance product that does not archive drafts. I am speaking for myself, not for my employer.


    P.S. MAPI is not the only protocol that is used for pulling items out of mailboxes. Mail systems other than Microsoft Exchange do still exist.

  2. Posted December 14, 2009 at 4:18 PM | Permalink

    Hi Richard – this is a good discussion, and highlights a key point. The decision to seek “compliance” is really a decision to choose an arbitrary point on the continuum between non-compliance and 100% compliance and strive towards that. Some organizations may decide to shoot for as close to 100% compliance as they can get, in which case keystroke logging would be within their scope. Other organizations will look to ‘norms’ for their industry, while others will decide that the ‘head in the sand’ approach is the ‘safest’ approach for their particular case.

    So in my mind you are absolutely right … true compliance is exactly that … perfection so to speak … but when organizations talk about ‘being compliant’ it is really them making a choice as a standalone organization, or putting themselves under the norms, laws or regulations for a given industry and/or country. As you suggest, the practicality of what is feasible — from a cost, technology, storage burden and process perspective — has to be taken into consideration (as do privacy laws, etc.)

    Life is full of choices and compliance is just that. A choice.


  3. Posted December 15, 2009 at 12:22 AM | Permalink

    re: “Mail systems other than Microsoft Exchange do still exist.” And need to exist for the growing numbers of businesses running mixed MS, Mac and Linux desktops and mobiles.

    There’s an opportunity to deliver a messaging archiving product that’s not just SMTP or MAPI but covers POP3 and IMAP on multiple OS’ as well.

  4. Posted December 21, 2009 at 9:26 PM | Permalink

    Dear David Sengupta:
    Compliance is now one of those terms which really needs to be defined before it is used. Strictly speaking, compliance with e-messaging financial regulations only requires archiving actual communications involving ‘doing business’. It is not a continuum but really quite a clear, discrete point.
    We suggest that before any archival hardware/ software decisions are made, that the legal, compliance and IT management agree to this or other definition and make sure that their archive decision is appropriate and consistent with the definition. No need to spend more money than necessary just because someone over-defines compliance.
    Interesting stuff, though.

Post a comment

You must be logged in to post a comment. To comment, first join our community.