Damn, it was late, and I forgot to change the recipient list. So here it
is as a forwarded message,
Must... sleep...
On Fri, 2008-01-25 at 12:38 -0800, Jeroen van Aart wrote:
> Someone had the bright idea that those pesky disclaimers at the bottom
> of emails are a good thing. What is common practice and how'd I
> implement it in exim?
Firstly the standard personal disclaimer: IANAL :)
http://www.out-law.com/page-5536
The guidance there applies to the UK only, one would suspect, but there
are a couple of useful sentences:
"There is no legal authority on the effectiveness of these notices in
email messages;"
"Common sense dictates that adding this notice to the foot of the email
is too late: if the notice is read at all, it will be read after the
message."
"Some confidentiality notices begin, "This message is intended for the
addressee only". This is misguided because any person who receives the
email will likely only receive it because he is an addressee, albeit the
sender may misspell the intended recipient's email address"
More pertinently from a technical perspective, it is my belief (and I
will reinforce the IANAL statement here) that if a given system adds
content (rather than meta-content such as headers) to a message in
transit then the message the recipient sees *is not* the message that
was sent. I would argue that this could render _any_ disclaimer invalid,
and this has particular pertinence with respects to digitally signed or
encrypted messages where the MUA is responsible for the signing. Any
modifications below the headers of an RFC2822 compliant message which is
digitally signed or encrypted by the MUA will render the message either
non-verifiable or, at worst, indecipherable.
There are systems (such as server-side S/MIME, not implemented as far as
I know by Exim) which can prevent this problem. I have no idea
whatsoever if they're in widespread use; I don't see them very often (if
ever) so I would surmise that they're not.
There's also a human resources problem with disclaimers. If you have a
simple yet automated disclaimer added by the MTA which states "We (The
Koala Kola Kompany) take no responsibility whatsoever for the content of
this email", yet the email is a contractual agreement, is it worth the
electrons used to display it? If a member of staff uses their work email
account to do something bad - rogue trading, fraud, abuse of a third
party - how can the person be held liable? They could state, quite
correctly, that the disclaimer was added by the system, not themselves,
and that the message body was also tampered with. This is unlikely, and
it is equally unlikely that someone making such a claim would be found
to be correct, but still - it's a valid defence.
In my opinion, if your company wants disclaimers then add them as a
signature as standard in the MUA at the time the message is typed. If a
member of staff then repeatedly refuses to add the disclaimer, you have
a staff policy stick with which to hit them. Management by consensus
followed by HR policy is significantly more effective than blithely
applying ineffective technical solutions.
For a more entertaining read, see Jeff Goldmarks's pages here:
http://www.goldmark.org/jeff/stupid-disclaimers/
Sure, they're a bit old, but they are funny.
Graeme
