Stupid Email Disclaimers
It has become fashionable, particularly in the UK, for management in
various organizations to insist on various disclaimers and
confidentiality notices be appended to all out-going email address.
I've seen loads of them over the years, but have only now (2001-01-22)
started collecting them, so the collection does start very small.
A typical example is from Luton
Sixth Form College, lutonsfc.ac.uk:
This e-mail is intended for the addressee shown. It contains
information that is confidential and protected from disclosure. Any
review, dissemination or use of this transmission or its contents by
persons or unauthorized employees of the intended organisations is
strictly prohibited.
The contents of this email do not necessarily represent the views or
policies of Luton Sixth Form College, its employees or students.
I have recently had my attention drawn to the phrase "persons or
unauthorized employees" in the above disclaimer. Beyond drawing
attention to it, it requires no comment.
Anyway, if the PHB's at Luton 6th Form College (or any other site
whose stupid disclaimers I list here) think that their disclaimer (or
anything else) makes it unlawful for me to quote the disclaimers here,
they know where to find me.
Why are these stupid? Let me count the ways.
There are typically two parts of these disclaimers. One part says that
the message doesn't necessarily represent official policy. If that is
worded carefully, it might be sensible. It is the other part of these
things (confidentiality, unintended recipient, etc) that is the really
silly bit of these. I simply don't believe that those statements have
any legal force whatsoever.
Imagine the following disclaimer at the end of an email message:
Notice: Unless you are named "Arnold P. Fasnock",
you may read only the "odd numbered words" (every other word
beginning with the first) of the message above. If you have
violated that, then you hereby owe the sender 10 GBP for each even
numbered word you have read.
Such a statement should have no force of law. The sender can't in
general unilaterally stipulate conditions on what the recipient may or
may not do with the email. (In specific cases, such as copyright, the
author may, of course, stipulate what rights are granted to the
recipient. There are other instances where there is an implied contract of
confidentiality, but those are not created merely by the sender
sticking the word "confidential" on a message.)
It appears that WebLaw's site
agrees with me. Although they seem to advocate use of these
disclaimers, their summary (based on their understanding of English
law) of their Legal
Position of Email Disclaimers document says
The value of disclaimers is limited, since the courts normally
attach more weight to the substantive content of the
communication and the circumstances in which it is made than to
any disclaimer. Having said that, disclaimers may possibly be
helpful if an issue ends up in court in various respects such as
those described below and, since disclaimers cost (almost)
nothing, it is worthwhile to use them. Even though their
effectiveness in court is doubtful, they may provide a useful
argument in negotiations to resolve a dispute.
Which sounds like they are saying that they have no legal value,
but you still might be able to frighten people with them anyway if
you have sufficiently scary lawyers.
The "this message is intended for the intended recipients" is
tautological at best. At worst it ...
Forbids mail being passed to the appropriate person
When I was an assistant postmaster at a mid-sized UK university, I
would routinely get mail forwarded to me for me to deal with. But the
original mail contained such a non-disclosure blurb. I would act on
the message, even though according to the blurb my acting on
information in a message not addressed to me was "strictly prohibited"
(or "subject to litigation" or whatever nastiness is threatened.)
There are many cases where the sender of a message hopes that the
message will get passed on to the appropriate person (who may not be
explicitly addressed in the message), yet if the disclaimer is to be
taken seriously that can't be done.
Mailing lists
Email discussion lists get widely distributed and often publicly
archived. That appears to be in violation of these sorts of
disclaimers. Thus your silly disclaimer is archived for all the world
to see in a place where it clearly is silly.
Press releases
The New Scientist has complained about getting press releases with
those disclaimers. What is it suppose to do with those?
Official policy
If the mail system always adds a disclaimer saying that the message
doesn't represent official policy, then how do you state official
policy by email.
If the disclaimer says that the message "does not necessarily
represent official policy" then that is like having no disclaimer at
all. It leaves it up to the reader to determine whether the message
states official policy.
Is there a paper parallel?
I've always wanted to know whether organizations which insist on those
disclaimers also apply to the same policy to paper communication.
Suppose I get email with such a disclaimer and I get a paper letter
from someone in the organization without one. Am I to conclude that I
may disclose what is in the paper letter and that is official policy.
Instead of being tautologies, some of these disclaimers actually give
you contradictory requirements. Basically the say things like "If you
are not the intended recipient ... any action taken ... is
prohibited. ... If you have received this e-mail message in error
please notify [us] ... Please delete this message."
So on the one hand, if I am not the recipient I am told that I cannot
act on information in the message. On the other hand, I am instructed
to take particular actions in that case.
One could, I suppose, say that the disclaimer doesn't apply to
itself. (After all, I'd be violating them all by publishing them if
they weren't.) But the disclaimers don't usually say that. And some
of the disclaimers point out that the message may have been
intercepted and tampered with, which surely does apply to the
disclaimer. Indeed that is what adding the disclaimers actually does.
So we are left with these highly legalistic sounding things which
require the reader apply selectively because the authors of the
disclaimer couldn't have actually meant what they said.
Tampering with mail
Adding these disclaimers may be considered tampering with mail. Some
people have said that adding these disclaimers in Germany would
probably be illegal. I have made no attempt to verify that assertion,
but suspect that it is false if the senders of the mail are informed
that such tampering will occur.
Addressee vs intended recipient
In my experience most misdirected is a consequence of users
misaddressing messages. Typically they select the adjacent line in
their address book from what they intended. These disclaimers talk
about the "addressee". On the other hand, if they were to talk about
the "intended recipient" it would require that the recipient be a mind
reader.
This is covered more in the section on what you
are left with, but it is worth repeating. In adding the
disclaimers, you may have both "false positives" and "false
negatives". The former are messages that get the disclaimer but
shouldn't (eg, press-releases, etc). The later are messages that
don't get the disclaimers but should (eg. a message sent from an
employee at home, but using a work email address).
False positives undermine your entire set of disclaimers. They simply
tell people that your disclaimers are to be ignored. They also open
the doors for people to do unwanted things with your messages (ignore
press releases, remove things from archives that should be archived,
get your users thrown off mailing lists).
False negatives invite people to assume that the messages that somehow
come without the disclaimers are official policy or shouldn't be
treated confidentially.
These problems are created by using disclaimers, making them worse
than just silly.
If the disclaimers are meant to do anything (and are not mere tautologies)
then you are left with a few possibilities if you want to keep the disclaimer
and non-disclosure notice.
- Put the disclaimer on all out-going messages, but hope that
the recipients will ignore it where it is ridiculous.
I've described a few cases where application of the
disclaimer is ridiculous. You could hope that people will just
kindly laugh and ignore the disclaimer in those circumstances.
Beyond making you look ridiculous, the problem with that is that
it actually undermines the rule of law (and of course any teeth in
the actual threat, as if someone uses the message in a way that
you do wish to sue about, and you try to base your suit on the
disclaimer, a defense can be that in a vast majority of cases you
have allowed (and desired) violation of those terms.) If you wish
to base your case on things other than the disclaimer, than the
disclaimer is not needed.
- Have users select whether to include the disclaimer or not.
This might work, but there is a slight problem. If some
of your messages appear with a disclaimer and others do not, then
there may be the implication that all those without the disclaimer
at official policy or may be published or distributed.
- Try to write a disclaimer that covers all of the exceptions.
I do not believe that this will be possible. It will probably end
up doubling the size of most of your email as well. But there are
strategies for this. You could say "unless otherwise noted in the
text of the message, this does not reflect official policy" Thus,
you ask your users to disclaim your disclaimer at various times.
You could also get around the length problem by placing the
disclaimer on a website and just mentioning the URL in the email.
If you do this, be certain to maintain distinct versions of the
URL disclaimer, since if you change what is on the web pages,
previous email should have the "old" disclaimer.
Despite these, I simply don't think that it would be possible to
cover all of the exceptional cases beyond saying "please treat
this email message in a reasonable way, or we might get angry".
In the end, I think, although I am vastly ignorant of the law here,
that adding disclaimers only makes you more vulnerable. This
is because without disclaimers reasonable conventions and existing law
apply. But once you add the disclaimer you had better get it exactly
right and on exactly the right messages, and you sacrifice reasonable
convention.
And, of course, these do make your institution look silly.
I can sympathize with the manager who is getting worried about all of
the communication going in and out of the organization with the help
of modern technology. That manager may fear that someday one of those
email messages is going to come back and bite them. It is not
unreasonable to worry about that. And there is often the strong
feeling that "something must be done". But often when there is a
feeling of urgency that something must be done, the wrong thing gets
done. Managers looking for something to do see the stupid disclaimers
of others and follow that crowd.
Instead managers should look at the nature of the organization and
email from it. If you are a university, you have staff, faculty,
students, maybe alumni sending from your network or with email
addresses in your domain. Recipients know that. Maybe it would be
good to move toward distinguishing in the email addresses the
different types of people. People know that students don't speak for
their universities.
For a business, just as you train and allow people to talk to
outsiders on the telephone you may wish to issue customer relations
guidelines for email.
See a separate file for the list of stupid disclaimers.
[Last modified: Sunday, 09-Dec-2001 16:53:43 EST]
If you know of a stupid disclaimer, send mail to disclaimers@goldmark.org .
I will keep your identity secret although I may try to verify the
disclaimer by writing to the site saying that they've been anonymous
nominated for the stupid disclaimers web page.
Also send mail with comments or additions. I'll try to incorporate
them as I have time.
Limited credit
I wish to thank many many people who have submitted things to me and
who have provided extremely useful and insightful (and amusing)
comments. However, a number of the submissions come from people close
to the organizations with the stupid disclaimers, and so I thought
that I should leave all contributions uncredited with the
exceptions of the ones that I noticed.
See a separate document for the parody
disclaimers.
[Last modified: Friday, 03-May-2002 08:24:35 EDT]
There is a separate document which discusses problems of actually appending the disclaimers.
[Last modified: Thursday, 19-Jun-2008 08:43:03 EDT]
If, after all of this you still feel that you need to be seen to be
doing something even though it will do more harm than good for your
institution, it is worth looking at a form of disclaimer which has the
least severe of the problems discussed.
So what would such a least bad disclaimer look like? Here are some
criteria
- It should be true
- No threats of legal action with no basis in law
- No claims to bind someone to a confidentiality or other
conditions which they didn't accept.
- No requests to not distribute things that actually should be
distributed.
- No claims of non-official policy on messages which are
official policy.
- False negatives shouldn't be a problem.
- It should be short.
- It should avoid pretentions, pompous or legalistic langaguage
where possible.
Basically, these criteria rule out the confidentiallity stuff and the
intended recipient stuff. It also rules out a one-size-fits-all
statement which is supposed to apply to the specific message it is
appended to. That leaves a generic reminder that email messages don't
necessarily represent official policy. So,
Email from people at your.domain.here
does not usually represent official policy of
Your-Organization-Here. See URL-Of-Policy-Document-Here for details.
Let's look at this bit by bit. It doesn't say anything like "this
message". That way, a false negative (a message without the
statement) can't be so easily taken to be official policy. It says
"not usually" so it does allow for official policy to occassionally
be stated in email. You may replace "usually" with "necessarily" if
you feel that a substantial portion of email with your organization's
name on it does state policy. It doesn't make any ridiculous legal
assertions about the responsibilities of recipients. It doesn't make
any claim about the legal status of the message it is appended to.
These should not be implemented the absolutely stupid way nor the merely stupid way. Instead it should be
applied using both the fairly silly
way and the merely silly
way, as discussed in the document that discusses the manner of appending stupid disclaimers.
Are you disappointed at how weak this disclaimer is?
This "least bad" disclaimer makes a very weak statement, and doesn't
seem like it is worth having at all. Well, maybe it isn't worth
having at all. But at least this one doesn't make ridiculous
claims about the email that you send.
Stupid disclaimers are not in the best interest of your organization.
Please don't put your personal need to be "seen to be doing something"
above the interests of your organization.
What should be on the cited policy document
The policy document listed in the disclaimer
- Must not include false or unenforcible legal
requirements upon the recipient.
- Must not assert things about all messages unless you
are absolutely sure that it is true of all messages.
- Should advise readers that email can be very easily
forged, and may wish to point users to resources regarding that.
- Should advise readers that email can easily be
misaddressed, and request that should the receive such a
message that they inform the sender and respect the senders wishes
where appropriate.
- Should advise readers that email may be intercepted, or
even tampered with by third parties.
- Should inform readers of your institutions policies
regarding interception and tampering of email.
- Should provide (or link to) detailed contact information including
postal address, full legal name, telephone and fax address, how to
contact DPA officer (UK only).
- Must provide information on how a recipient of some mail can
verify whether its contents should be taken as policy of the
organization.
- Should provide information on who (usually postmaster) a recipient
can contact to verify a suspected forgery.
- Must maintain a version history, so people can find the version
that was published at any time in the past (particularly at the
time that a particular message was received).
I don't (yet) have much in the way of other resources, but as I've said
elsewhere, all lists start small.
- Email
Disclaimer FAQ (SOMIS, Dundee University)
- This takes a slightly more sympathetic approach to the question
than I do, but is generally concludes that they are more trouble
than they are worth. The version I read was last modified April
1999.
- WebLaw's Legal Position
of Email Disclaimers
- They take a far more sympathetic view of such disclaimers than I
do, but see my comment on their summary in the legal status section.
- Anubha Charan's article on
Rediff
- This article discusses the perceived need for disclaimers and
their usefulness (about which it is skeptical). The general issues
overlap with what is described here. It's focus is on Indian law.
- The Register's
Longest
Email Disclaimer award
- It also lists links to some other winners of dubious honors with
respect to email disclaimers.
- Slashdot's
discussion of the Register's award.
- Someone in that discussion pointed out this page. That
discussion has many examples illustrating the same points made
here.
- A site advocating use
of email disclaimers
- I will leave it to readers to decide whether their advocacy piece
addresses the concerns that I raise in my document. It does a good
job of distinguishing among the many perceived reasons for having
disclaimers. Although it advocates disclaimers, it clearly notes
that a disclaimer does not eliminate employer liability for
employees sending libelous material.
Interestingly the owner, Deborah Galea, of emaildisclaimers.com and the companion site, www.email-policy.com, fails to
identify herself on the sites. Nor do the sites mention that she
works for Red Earth Software, which sells PolicyPatrol, an add-on to
MS-Exchange which will (among other things) add email disclaimers.
There is, of course, nothing wrong with advocating the use of tools you
sell. But I do wonder why the relationship between the
analysis/advocacy sites and the software firm has been left so obscure
for so long. At the very least one would have expected them to mention
this fact on the page where they compare a few providers of
disclaimer-adding software,
http://www.emaildisclaimers.com/Global_signature_software.htm".
One would think that people so concerned about disclaimers would be
careful to disclose such important information. Whether this calls
into question the trustworthiness of Red Earth Software is something
for potential customers to decide for themselves.
Note: My comments about emaildisclaimers.com apply to
their site as seen as recently as July 23, 2003. According to their
webserver, the crucial pages haven't been modified since December 18,
2001.
Version: $Revision: 1.43 $
Last Modified: $Date: 2003/08/14 13:33:09 $ GMT
First established Jan 22, 2001
Author: Jeffrey Goldberg