Bill Jackson | More than we wanted to know
Cybereye | Commentary: Be careful how you use the
- By William Jackson
- Oct 15, 2007
Call it what you will ' shooting yourself in the foot, giving yourself a black eye ' the Homeland Security Department suffered a self-inflicted wound to the ego this month when a subscriber on one of the department's e-mail lists used the 'reply to all' button on a message and touched off an avalanche of replies, replies to replies and replies ad infinitum that swamped the in-boxes of subscribers around the world.
The department's daily report on critical infrastructure security issues, a sort of online clipping service, was the vehicle for the snafu, and the problem was that individual subscribers were able to reply to the entire distribution list. When the first message was received by the list, the realization that this could be done apparently provided a temptation too great for a good many readers to resist. The result probably was no worse than a few chuckles and a lot of frustration, but it got a lot of media attention, primarily because DHS was involved.
The department responded with a notice that it was aware of the problem and planned to correct the posting privileges on the server. 'Distribution will also be via BCC [blind carbon copy] to allow forwarding without bouncing off the distro list,' the notice said. 'As practitioners of national-security best practices, let's set an example and not clog the communications channel with further white noise, please."
It would be easy to blame DHS, and indeed they have to accept a good deal of the responsibility. But the real problem is the people who indiscriminately use the 'reply to all' function. Use of this function, either advertently or inadvertently, has been a troublesome source of data leakage since the inception of e-mail.
Sometimes the result is merely embarrassing. A prime example of this is the 2004 case of a career adviser in London whose response to a message from her boyfriend included some sexual details that she probably would rather have kept private. But she hit the wrong button and also sent the reply to 30 of his friends as well, who could not resist sending it to 30 of their friends, and it quickly became international news.
The company she worked for issued a statement saying, "We have staff procedures in place to deal with any incidents of this nature." It did not specify what those procedures were, but it might be safe to assume that the young woman found herself in need of some career counseling.
But broadcasting data also is a serious security risk. It does not take too much imagination to see that improper replies could result in the loss of proprietary, sensitive or even classified information.
But another good reason to avoid using 'reply to all' is just that it is not necessary most of the time and is an irritation for those of us who have to wade through e-mails that we are not interested in. I once did a count of a large number of messages that had accumulated in my deleted box and found that more than 80 percent of them had been deleted without being opened. If I do not want to read 80 percent of the messages that are addressed to me, why would anyone think that I would be interested in replies to those messages?
But some people persist in using 'reply to all' as a matter of course, apparently thinking that others on the list want to be kept in the loop. Others are under the impression that they are clever and that the rest of the world needs to know it. But for every recipient of such a response who is amused, there are at least 19 who are irritated about having to send another message to the trash folder and by the thought that a rash of new replies undoubtedly are on the way.
So I have some advice for Microsoft and other makers of e-mail client software. Eliminate the 'reply to all' button, or at least hide it somewhere and make it much harder to use. And when someone hits that button, a confirmation box should pop up asking, 'are you sure you really want to send the reply to all? Really sure? REALLY SURE? I wouldn't advise it!'
William Jackson is a Maryland-based freelance writer.