Re: [EXIM] Mail Tapping

Top Page
Delete this message
Reply to this message
Author: Tony Cowderoy
Date:  
To: exim-users
Subject: Re: [EXIM] Mail Tapping
I have seen discussions similiar to the following a number of times on some
of the newsgroups. There seems to be a general misunderstanding about why
businesses want to do this and why some businesses *need* to do it.

>>
>> First off I'm not a facist. I normally don't want to tap peoples email
>> but if I could at the moment it would make my life easier.
>>
>> I need to be able to "tap" all incoming/outgoing email on a commercial
>> site I help run. I can take copies of mail sent to local users by
>> setting a global filter file. I'd like to be able to take copies of
>> outgoing email too.
>>
>> I guess I could write a shell script to replace /usr/lib/sendmail... but
>> it would be helpful to take copies of the envelope fields on SMTP
>> traffic too.
>>
>>     Lee

>
>I doubt very much that I personally could condone that, but I do
>happen to know that what you want can be done. I have a reasonable
>idea about how it could be done, but I can't bring myself to work
>it out/look it up.
>
>Julian
>


Most businesses keep paper files of incoming and outgoing snail mail as a
matter of course. This is done so that evidence is available in the event
of any subsequent dispute with other parties, such as suppliers or
customers. In general, employees are aware of this, understand it and
accept it. To many managers, it seems an obvious extension to retain
archive copies of all incoming and outgoing e-mail. Similarly, internal
memos are normally filed and it seems reasonable that the same should be
done with e-mails.

I am not a lawyer and I do not purport to give legal advice, but as I
understand it e-mail messages can now be used as evidence in civil cases in
the UK. ISTR someone getting sued successfully for libel contained in an
internal e-mail message. To protect themselves against forged e-mail being
used to bring a fraudulent claim, companies want to keep evidence of the
messages that have been sent or received by their employees.

In the case of professional practices, such as accountants or lawyers, they
have a specific duty of care towards clients. As such, one point of view
is that they have a *duty* to retain correspondence to show what they have
done on behalf of their clients and could potentially be seen as negligent
if failure to keep proper records subsequently resulted in a client
suffering loss. It has been argued that these duties apply just as much to
e-mail as to snail mail.

In addition, if you are using your company's e-mail system you are doing so
in your capacity as an employee. Your employer is potentially liable for
your actions and is therefore entitled to know what you are doing.
Further, most companies provide e-mail for business use, not personal use,
and sending personal messages could be seen as a misuse of the system.
Likewise, messages sent to a company address are being sent to someone in
their capacity as an employee. I can see no good reason why a company
should not be allowed to monitor messages sent or received on behalf of the
business.

As I see it, there are reasonable grounds for businesses to retain copies
of e-mails and the most simple way to ensure that this is done is for the
MTA to file archive copies of all messages.

However, I do think that where such a system is set up:

a) all employees should be notified that archives of e-mail messages will
be kept;

b) access to such archives should be restricted on a need to know basis.

I worked for several years for a professional practice that did this and
never heard of any complaints that such information had been abused. I did
come across cases where people who had failed to keep their own backups
were very pleased that an important message could be retrieved from the
archives.

In the UK, any e-mail archives could well be Personal Data within the terms
of the Data Protection Act, so companies would have all of the duties set
out in the Act to restrict access and not to make improper use of the data.
I imagine that the same would apply in other EU countries.

Moral qualms about telling people how to keep archive copies may be one
reason why freely licensed MTAs such as exim are not used more often in
business. This plays into the hands of people selling propietary MTAs,
many of which do not seem to conform to the RFCs. Some of these companies
have enough commercial clout to hi-jack the Internet standards process if
we let them (no names, no pack drill). We don't want de facto control of
Internet protocols to fall into the hands of a few large businesses, do we?

Please let's treat other exim users as responsible people and let them know
how to keep archive copies if they need to. I think that most people who
have got as far as implementing exim are likely to be the kind of people
who will have a fairly sensible outlook on privacy.

Tony

--

--
*** Exim information can be found at http://www.exim.org/ ***