Stupid Email Disclaimers

It has become fashionable, particularly in the UK, for management in various organizations to insist on various disclaimers and confidentiality notices be appended to all out-going email address. I've seen loads of them over the years, but have only now (2001-01-22) started collecting them, so the collection does start very small.

A typical example is from Luton Sixth Form College, lutonsfc.ac.uk:

This e-mail is intended for the addressee shown. It contains information that is confidential and protected from disclosure. Any review, dissemination or use of this transmission or its contents by persons or unauthorized employees of the intended organisations is strictly prohibited.

The contents of this email do not necessarily represent the views or policies of Luton Sixth Form College, its employees or students.

I have recently had my attention drawn to the phrase "persons or unauthorized employees" in the above disclaimer. Beyond drawing attention to it, it requires no comment.

Anyway, if the PHB's at Luton 6th Form College (or any other site whose stupid disclaimers I list here) think that their disclaimer (or anything else) makes it unlawful for me to quote the disclaimers here, they know where to find me.

Table of Contents

  1. Why these are stupid
  2. What are you left with?
  3. Don't just do something, stand there!
  4. The list [Last modified: Sunday, 09-Dec-2001 13:53:43 PST]
  5. Adding to this list and making suggestions
  6. Fun disclaimers [Last modified: Friday, 03-May-2002 05:24:35 PDT]
  7. Problems of appending disclaimers [Last modified: Thursday, 14-Aug-2003 06:43:31 PDT]
  8. If you must
  9. Other resources

Why these are stupid

Why are these stupid? Let me count the ways.

Legal status

There are typically two parts of these disclaimers. One part says that the message doesn't necessarily represent official policy. If that is worded carefully, it might be sensible. It is the other part of these things (confidentiality, unintended recipient, etc) that is the really silly bit of these. I simply don't believe that those statements have any legal force whatsoever.

Imagine the following disclaimer at the end of an email message:

Notice: Unless you are named "Arnold P. Fasnock", you may read only the "odd numbered words" (every other word beginning with the first) of the message above. If you have violated that, then you hereby owe the sender 10 GBP for each even numbered word you have read.
Such a statement should have no force of law. The sender can't in general unilaterally stipulate conditions on what the recipient may or may not do with the email. (In specific cases, such as copyright, the author may, of course, stipulate what rights are granted to the recipient. There are other instances where there is an implied contract of confidentiality, but those are not created merely by the sender sticking the word "confidential" on a message.)

It appears that WebLaw's site agrees with me. Although they seem to advocate use of these disclaimers, their summary (based on their understanding of English law) of their Legal Position of Email Disclaimers document says

The value of disclaimers is limited, since the courts normally attach more weight to the substantive content of the communication and the circumstances in which it is made than to any disclaimer. Having said that, disclaimers may possibly be helpful if an issue ends up in court in various respects such as those described below and, since disclaimers cost (almost) nothing, it is worthwhile to use them. Even though their effectiveness in court is doubtful, they may provide a useful argument in negotiations to resolve a dispute.
Which sounds like they are saying that they have no legal value, but you still might be able to frighten people with them anyway if you have sufficiently scary lawyers.

Tautology

The "this message is intended for the intended recipients" is tautological at best. At worst it ...

Forbids mail being passed to the appropriate person

When I was an assistant postmaster at a mid-sized UK university, I would routinely get mail forwarded to me for me to deal with. But the original mail contained such a non-disclosure blurb. I would act on the message, even though according to the blurb my acting on information in a message not addressed to me was "strictly prohibited" (or "subject to litigation" or whatever nastiness is threatened.)

There are many cases where the sender of a message hopes that the message will get passed on to the appropriate person (who may not be explicitly addressed in the message), yet if the disclaimer is to be taken seriously that can't be done.

Mailing lists

Email discussion lists get widely distributed and often publicly archived. That appears to be in violation of these sorts of disclaimers. Thus your silly disclaimer is archived for all the world to see in a place where it clearly is silly.

Press releases

The New Scientist has complained about getting press releases with those disclaimers. What is it suppose to do with those?

Official policy

If the mail system always adds a disclaimer saying that the message doesn't represent official policy, then how do you state official policy by email.

If the disclaimer says that the message "does not necessarily represent official policy" then that is like having no disclaimer at all. It leaves it up to the reader to determine whether the message states official policy.

Is there a paper parallel?

I've always wanted to know whether organizations which insist on those disclaimers also apply to the same policy to paper communication. Suppose I get email with such a disclaimer and I get a paper letter from someone in the organization without one. Am I to conclude that I may disclose what is in the paper letter and that is official policy.

Contradictory requirements

Instead of being tautologies, some of these disclaimers actually give you contradictory requirements. Basically the say things like "If you are not the intended recipient ... any action taken ... is prohibited. ... If you have received this e-mail message in error please notify [us] ... Please delete this message."

So on the one hand, if I am not the recipient I am told that I cannot act on information in the message. On the other hand, I am instructed to take particular actions in that case.

One could, I suppose, say that the disclaimer doesn't apply to itself. (After all, I'd be violating them all by publishing them if they weren't.) But the disclaimers don't usually say that. And some of the disclaimers point out that the message may have been intercepted and tampered with, which surely does apply to the disclaimer. Indeed that is what adding the disclaimers actually does. So we are left with these highly legalistic sounding things which require the reader apply selectively because the authors of the disclaimer couldn't have actually meant what they said.

Tampering with mail

Adding these disclaimers may be considered tampering with mail. Some people have said that adding these disclaimers in Germany would probably be illegal. I have made no attempt to verify that assertion, but suspect that it is false if the senders of the mail are informed that such tampering will occur.

Addressee vs intended recipient

In my experience most misdirected is a consequence of users misaddressing messages. Typically they select the adjacent line in their address book from what they intended. These disclaimers talk about the "addressee". On the other hand, if they were to talk about the "intended recipient" it would require that the recipient be a mind reader.

False positives and false negatives may leave you more vulnerable

This is covered more in the section on what you are left with, but it is worth repeating. In adding the disclaimers, you may have both "false positives" and "false negatives". The former are messages that get the disclaimer but shouldn't (eg, press-releases, etc). The later are messages that don't get the disclaimers but should (eg. a message sent from an employee at home, but using a work email address).

False positives undermine your entire set of disclaimers. They simply tell people that your disclaimers are to be ignored. They also open the doors for people to do unwanted things with your messages (ignore press releases, remove things from archives that should be archived, get your users thrown off mailing lists).

False negatives invite people to assume that the messages that somehow come without the disclaimers are official policy or shouldn't be treated confidentially.

These problems are created by using disclaimers, making them worse than just silly.

What are you left with?

If the disclaimers are meant to do anything (and are not mere tautologies) then you are left with a few possibilities if you want to keep the disclaimer and non-disclosure notice.

  1. Put the disclaimer on all out-going messages, but hope that the recipients will ignore it where it is ridiculous.

    I've described a few cases where application of the disclaimer is ridiculous. You could hope that people will just kindly laugh and ignore the disclaimer in those circumstances.

    Beyond making you look ridiculous, the problem with that is that it actually undermines the rule of law (and of course any teeth in the actual threat, as if someone uses the message in a way that you do wish to sue about, and you try to base your suit on the disclaimer, a defense can be that in a vast majority of cases you have allowed (and desired) violation of those terms.) If you wish to base your case on things other than the disclaimer, than the disclaimer is not needed.

  2. Have users select whether to include the disclaimer or not.

    This might work, but there is a slight problem. If some of your messages appear with a disclaimer and others do not, then there may be the implication that all those without the disclaimer at official policy or may be published or distributed.

  3. Try to write a disclaimer that covers all of the exceptions. I do not believe that this will be possible. It will probably end up doubling the size of most of your email as well. But there are strategies for this. You could say "unless otherwise noted in the text of the message, this does not reflect official policy" Thus, you ask your users to disclaim your disclaimer at various times.

    You could also get around the length problem by placing the disclaimer on a website and just mentioning the URL in the email. If you do this, be certain to maintain distinct versions of the URL disclaimer, since if you change what is on the web pages, previous email should have the "old" disclaimer.

    Despite these, I simply don't think that it would be possible to cover all of the exceptional cases beyond saying "please treat this email message in a reasonable way, or we might get angry".

In the end, I think, although I am vastly ignorant of the law here, that adding disclaimers only makes you more vulnerable. This is because without disclaimers reasonable conventions and existing law apply. But once you add the disclaimer you had better get it exactly right and on exactly the right messages, and you sacrifice reasonable convention.

And, of course, these do make your institution look silly.

Don't just do something, stand there!

I can sympathize with the manager who is getting worried about all of the communication going in and out of the organization with the help of modern technology. That manager may fear that someday one of those email messages is going to come back and bite them. It is not unreasonable to worry about that. And there is often the strong feeling that "something must be done". But often when there is a feeling of urgency that something must be done, the wrong thing gets done. Managers looking for something to do see the stupid disclaimers of others and follow that crowd.

Instead managers should look at the nature of the organization and email from it. If you are a university, you have staff, faculty, students, maybe alumni sending from your network or with email addresses in your domain. Recipients know that. Maybe it would be good to move toward distinguishing in the email addresses the different types of people. People know that students don't speak for their universities.

For a business, just as you train and allow people to talk to outsiders on the telephone you may wish to issue customer relations guidelines for email.

The list

See a separate file for the list of stupid disclaimers. [Last modified: Sunday, 09-Dec-2001 13:53:43 PST]

Adding to this list and making suggestions

If you know of a stupid disclaimer, send mail to disclaimers@goldmark.org . I will keep your identity secret although I may try to verify the disclaimer by writing to the site saying that they've been anonymous nominated for the stupid disclaimers web page.

Also send mail with comments or additions. I'll try to incorporate them as I have time.

Limited credit

I wish to thank many many people who have submitted things to me and who have provided extremely useful and insightful (and amusing) comments. However, a number of the submissions come from people close to the organizations with the stupid disclaimers, and so I thought that I should leave all contributions uncredited with the exceptions of the ones that I noticed.

Fun disclaimers

See a separate document for the parody disclaimers. [Last modified: Friday, 03-May-2002 05:24:35 PDT]

Appending disclaimers

There is a separate document which discusses problems of actually appending the disclaimers. [Last modified: Thursday, 14-Aug-2003 06:43:31 PDT]

If you must...the least stupid way

If, after all of this you still feel that you need to be seen to be doing something even though it will do more harm than good for your institution, it is worth looking at a form of disclaimer which has the least severe of the problems discussed.

So what would such a least bad disclaimer look like? Here are some criteria

  1. It should be true
    1. No threats of legal action with no basis in law
    2. No claims to bind someone to a confidentiality or other conditions which they didn't accept.
    3. No requests to not distribute things that actually should be distributed.
    4. No claims of non-official policy on messages which are official policy.
  2. False negatives shouldn't be a problem.
  3. It should be short.
  4. It should avoid pretentions, pompous or legalistic langaguage where possible.
Basically, these criteria rule out the confidentiallity stuff and the intended recipient stuff. It also rules out a one-size-fits-all statement which is supposed to apply to the specific message it is appended to. That leaves a generic reminder that email messages don't necessarily represent official policy. So,
Email from people at your.domain.here does not usually represent official policy of Your-Organization-Here. See URL-Of-Policy-Document-Here for details.

Let's look at this bit by bit. It doesn't say anything like "this message". That way, a false negative (a message without the statement) can't be so easily taken to be official policy. It says "not usually" so it does allow for official policy to occassionally be stated in email. You may replace "usually" with "necessarily" if you feel that a substantial portion of email with your organization's name on it does state policy. It doesn't make any ridiculous legal assertions about the responsibilities of recipients. It doesn't make any claim about the legal status of the message it is appended to.

These should not be implemented the absolutely stupid way nor the merely stupid way. Instead it should be applied using both the fairly silly way and the merely silly way, as discussed in the document that discusses the manner of appending stupid disclaimers.

Are you disappointed at how weak this disclaimer is?

This "least bad" disclaimer makes a very weak statement, and doesn't seem like it is worth having at all. Well, maybe it isn't worth having at all. But at least this one doesn't make ridiculous claims about the email that you send.

Stupid disclaimers are not in the best interest of your organization. Please don't put your personal need to be "seen to be doing something" above the interests of your organization.

What should be on the cited policy document

The policy document listed in the disclaimer
  1. Must not include false or unenforcible legal requirements upon the recipient.
  2. Must not assert things about all messages unless you are absolutely sure that it is true of all messages.
  3. Should advise readers that email can be very easily forged, and may wish to point users to resources regarding that.
  4. Should advise readers that email can easily be misaddressed, and request that should the receive such a message that they inform the sender and respect the senders wishes where appropriate.
  5. Should advise readers that email may be intercepted, or even tampered with by third parties.
  6. Should inform readers of your institutions policies regarding interception and tampering of email.
  7. Should provide (or link to) detailed contact information including postal address, full legal name, telephone and fax address, how to contact DPA officer (UK only).
  8. Must provide information on how a recipient of some mail can verify whether its contents should be taken as policy of the organization.
  9. Should provide information on who (usually postmaster) a recipient can contact to verify a suspected forgery.
  10. Must maintain a version history, so people can find the version that was published at any time in the past (particularly at the time that a particular message was received).

Other resources

I don't (yet) have much in the way of other resources, but as I've said elsewhere, all lists start small.
Email Disclaimer FAQ (SOMIS, Dundee University)
This takes a slightly more sympathetic approach to the question than I do, but is generally concludes that they are more trouble than they are worth. The version I read was last modified April 1999.
WebLaw's Legal Position of Email Disclaimers
They take a far more sympathetic view of such disclaimers than I do, but see my comment on their summary in the legal status section.
Anubha Charan's article on Rediff
This article discusses the perceived need for disclaimers and their usefulness (about which it is skeptical). The general issues overlap with what is described here. It's focus is on Indian law.
The Register's Longest Email Disclaimer award
It also lists links to some other winners of dubious honors with respect to email disclaimers.
Slashdot's discussion of the Register's award.
Someone in that discussion pointed out this page. That discussion has many examples illustrating the same points made here.
A site advocating use of email disclaimers
I will leave it to readers to decide whether their advocacy piece addresses the concerns that I raise in my document. It does a good job of distinguishing among the many perceived reasons for having disclaimers. Although it advocates disclaimers, it clearly notes that a disclaimer does not eliminate employer liability for employees sending libelous material.

Interestingly the owner, Deborah Galea, of emaildisclaimers.com and the companion site, www.email-policy.com, fails to identify herself on the sites. Nor do the sites mention that she works for Red Earth Software, which sells PolicyPatrol, an add-on to MS-Exchange which will (among other things) add email disclaimers.

There is, of course, nothing wrong with advocating the use of tools you sell. But I do wonder why the relationship between the analysis/advocacy sites and the software firm has been left so obscure for so long. At the very least one would have expected them to mention this fact on the page where they compare a few providers of disclaimer-adding software, http://www.emaildisclaimers.com/Global_signature_software.htm". One would think that people so concerned about disclaimers would be careful to disclose such important information. Whether this calls into question the trustworthiness of Red Earth Software is something for potential customers to decide for themselves.

Note: My comments about emaildisclaimers.com apply to their site as seen as recently as July 23, 2003. According to their webserver, the crucial pages haven't been modified since December 18, 2001.

Version: $Revision: 1.43 $
Last Modified: $Date: 2003/08/14 13:33:09 $ GMT
First established Jan 22, 2001
Author: Jeffrey Goldberg