Another View: You can't be too careful with e-mail addresses

Robert Gellman

Sometimes, little things make a big difference. Few everyday activities provide a clearer example than e-mail. One small slip, and something can become a federal case'literally.

Suppose you want to send a notice to a group. If you place each individual's e-mail address in the TO or CC (copy) field, those addresses will be visible to all recipients. Do you want, or is there a reason, to share all those addresses with every recipient? It's a question worth asking each time.

Recent cases illustrate the point. Last June, pharmaceutical manufacturer Eli Lilly and Co. mistakenly shared the e-mail addresses of a list of Prozac users. The disclosure happened when the company placed e-mail addresses in the TO field, rather than in the BCC (blind copy) field of an outgoing message.

This became a federal case, which the Federal Trade Commission later settled without imposing a fine. The states got into the act as well and pursued the company successfully, drawing considerable media attention.

In another case, the American Civil Liberties Union made the same error. It sent out an e-mail newsletter that mistakenly included the names and e-mail addresses of everyone on the mailing list'an em- barrassing gaffe for an organization that preaches privacy.

I recently attended a public meeting held by an agency that will remain nameless. In an e-mail to registrants, all of the recipients were listed in the CC field. An unscrupulous vendor then hijacked the mailing list to spam recipients with a commercial mailing.

Had the agency used the BCC field, reuse would not have been possible. I e-mailed the vendor and made sure my objection was sent to everyone on the list. I wanted them to know that the vendor's conduct violated the Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act because it didn't include an opt-out for future mail.

In response, I received a message from another vendor who cross-examined me closely about the law because he wanted to spam the list too. I talked him out of it.

Sometimes, sending e-mail with open addressing'among people working jointly on a project, for instance'makes sense or is harmless.

When sending general messages, however, you should always think twice before hitting the send button. The question to consider is whether it is fair, appropriate and necessary to share addresses with all recipients. Unless you have an affirmative reason to share addresses, use the BCC field.

That also holds true for another button that should be used with care: REPLY ALL. This is another way e-mailers spew messages to people who don't care that you will attend the meeting, need directions or want to be removed from the list.

If I haven't yet convinced you, here's another reason: Messages sent to a large number of people are much more likely to be stopped by a spam filter. If that happens, then no one may get your message.

I would welcome a tool warning us when we have more than a few names in a visible e-mail address list, or when we are about to use the REPLY ALL button.

Such a warning could keep your name out of the paper someday.

My high school biology teacher used to say a word to the wise was superfluous. That may be true, but a gentle warning sometimes makes all the difference. I'll bet the folks at Eli Lilly and the ACLU wish they'd had such a warning.

Robert Gellman is a Washington privacy and information policy consultant. E-mail him at

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.