Xref: utzoo comp.admin.policy:74 comp.unix.admin:1951 Newsgroups: comp.admin.policy,comp.unix.admin Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!think.com!zaphod.mps.ohio-state.edu!magnus.acs.ohio-state.edu!csn!stan!imp From: imp@solbourne.com (Warner Losh) Subject: Re: E-mail Privacy Message-ID: <1991May24.074601.27921@solbourne.com> Organization: Solbourne, User Interface Group References: <15110@ccncsu.ColoState.EDU> Date: Fri, 24 May 1991 07:46:01 GMT In article <15110@ccncsu.ColoState.EDU> conca@handel.cs.colostate.edu (michael vincen conca) writes: > Yesterday, this employee was terminated. He/she was allowed to gather > their things and purge all of their personal files from the system. Today, > my boss asked if it would be possible to retrieve this employee's E-mail > off of backup, find the memo, and print it out in case it was needed as > evidence in a possible court case. I won't cover the legal aspects, since I'm not a lawyer. Things I do know (all of this is SMTP mail): 1) It is possible to forge E-Mail with VERY LITTLE effort. I have done it in the past and it is UNTRACEABLE. 2) I don't think that it is admisable evidence in a court of law since it can be tampered with in a number of ways. First, I can edit the mbox file (or whatever) once I get the mail. Second, Just because a mail message has user foo as the sender doesn't mean that user foo sent the mail message (see #1). Basically, you can't prove that a given piece of e-mail was actually sent by the person who claims it was sent by, unless someone saw them send the mail message. It is not possible, in general, to even prove that someone got a copy and read the mail. The accused could very easily deny ever getting the mail message. Unless you saw the person read the mail, you can't prove that he did, even if you can show the mail in his in box and then later in his out box. User interfaces can do some odd things to mail. Also, the accused could argue that you tampered with the evidence (you do have the capability to do that (even if you wouldn't) since you are root). Unless you gave this person a paper copy of the Memo on some official looking letterhead, then I'd say that you wouldn't have very strong evidence to be used in a court of law. It would boil down to your word against his (which is what it was before). VMS's mail system has similar holes, btw. Warner P.S. Privacy enhanced mail doesn't solve most of these issues, although it makes it harder to forge mail (but not completely impossible). -- Warner Losh imp@Solbourne.COM The question to everyone's answer is usually asked from within