The background is that Steven Warshak was accused and eventually convicted of attempting to defraud the customers of Berkeley Premium Nutraceuticals (the distributor of Enzyte, an herbal supplement with some really goofy but apparently amazingly successful late night ads). The government agents in this case believed that they did not need a warrant because of some ambiguous provisions of the Stored Communications Act. (SCA was written in 1986 and had the unfortunate effect of codifying technology as it existed then. SCA has not held up well to the test of time.)

A number of privacy groups including EFF weighed in on the topic, successfully arguing that email users have a Fourth Amendment-protected expectation of privacy in the email they store with their email providers just like they do with traditional forms of communication like postal mail and telephone calls.

A warrant is easy to get and it’s unfortunate that the police in this case didn’t take the few extra minutes to document their probable cause. But the requirement for a warrant is an important check and balance on prosecution powers. The 6th Circuit did the right thing in finding that the Fourth Amendment applies to email, too. (They also did the right thing by narrowly ruling that this decision only overturns part of the matter. Warshak used some pretty sleazy practices and deserved to be put out of business.)

Next steps: It’s time for Congress to update the SCA.

Anyway, about three months ago, Yahoo launched several information sharing services. If you use the Yahoo Contacts feature, other people in your address book would be able to see what you’ve been up to – postings, connections and other activities within the Yahoo sites. And you can see information about them.

In principal, I have nothing against features that let us share information with others. My problem is the underhanded way that these companies roll the new features out. I never received any announcement about them and certainly got no training on my options to control the information they would be sharing. Worse, the default settings are “share all”. You have to know to look for and then take deliberate action to restrict the sharing. I didn’t even notice the change for months. If these companies really cared about security, the defaults would be rolled out the other way.

If you are a Yahoo user and you use their Contacts feature, here’s how to lock the program back down:

1. Log onto your Yahoo Mail account.
2. Click the Contacts tab at top left.
3. Click the Tools dropdown and select ‘Seeing Updates from …’
4. For a full lockdown, uncheck both the master settings at the top of the screen (‘Share my Updates’ and ‘See Updates in Yahoo Mail’)

If you like the sharing but want to restrict it to the people you are actually close with (rather than every random business contact that you’ve ever added to your Blackberry), go through the list and select the ‘Stop Getting Updates’ at the right of the contact’s name. You can also get a little more granular control using the ‘Manage my Updates’ link near the top left of the page. But blocking everything is easier.

The Yahoo Calendar also has some Sharing settings but since I don’t use their calendar feature, I don’t have good advice for how to lock it down. Any suggestions from people who do use it?

I have mixed opinions about the new policy. On the one hand, that industry has a very macho image. Profanity is an ingrained part of their culture. Profanity recognizes and reinforces the aggressive attitudes valued among the traders. Profanity can show the passion of the speaker. And, arguably, it helps in bonding and cultural norming. Similar trends are common among soldiers, journalists, police, some sports teams, etc. The language is offensive to outsiders but, in some ways, that’s the point. It becomes part of the group identity. And as long as it’s limited to the insiders who participate by choice, well, you should be cautious about changing the a successful culture.

Having said all that, I think the new policy is a good one. Clearly their behavior has gone too far. It was adversely impacting the business and needed to be reined in. More than that, the informal language leaked out of mere speech and into their emails, creating a permanent record that will inevitably be exposed to outsiders who do not participate in, understand or appreciate the ingroup’s culture – outsiders who may be deeply offended by the choice of language. That’s just inexcusable.

As we’ve often talked about before, emails are official business communications and must be treated as such. They deserve all the thought and professionalism that we used to put into a formal memo back in the days of carbon paper and typewriter ribbons. If you’d be embarrassed to have your email read in church or quoted on the front page of the newspaper, then you should rethink the message.

But I’m not such a fan of the automated filters that Goldman and others are using to enforce their policy. Profanity filters try to identify the offensive words and, depending on the company’s settings, return the email to the sender, block the email or allow the message to go through but flag a copy to HR. The filters use long lists of keywords, usually including common abbreviations and aliases (like adding ** in place of the vowels). The problem is that the offensiveness of a message is often dependent on context. As soon as you get a list long enough to be even marginally effective, you will inevitably suffer false positives.

As an example, my company tried to do something similar as a spam filter a few years back. In hindsight, it’s not really a surprise that construction companies (many of whom were our customers) use the word “erection” in legitimate business messages. BS can be a pejorative abbreviation or a respectable undergraduate degree. POS can describe a defective piece of hardware or your Point Of Sale register (and, yes, your POS can be a POS if you bought from the lowest bidder).

I should note that some of the most advanced filters now claim to be able to differentiate meaning based on the context of the message. They do alright for spam filtering and are showing promise for some other purposes but I don’t think they’re ready for use as profanity policy enforcement. The English language is too loose and our people are too creative. Very few of the filters would correctly parse the paragraph above and none can keep up with the changing acronyms and innuendo that people employ to dodge the censors. My prediction is that the filter will have some short-term shock value but the real change will only come when managers do their jobs – teaching employees the new standards, leading by example and holding people accountable when they backslide. That’s the only real way to change the culture.

Cloud computing means having someone else do your computing for you – taking data and calculations that you would have crunched on your own mainframe or workstation and, instead, crunching it on some computer on the internet. (The name comes from the IT diagramming convention of showing the internet as an amorphous cloud.) In theory, this gets you access to more and bigger computers than you would be able to afford yourself. It also gets you access to your data from any internet browser, not just your own dedicated computer. If you are a webmail user (yahoo, gmail, hotmail, etc), you are already using cloud computing.

There are two general business models for cloud computing providers. The first are companies who already have lots and lots of computers but who only need their computing power for surges. Amazon, Google and eBay might be examples. They have to build their data centers to handle Cyber-Monday. Renting computer time to you is a way to get back some of their investment when they’re not busy with their own crunch.

The second are companies who start out with the model of renting – the United Rentals of the computer world. IBM is moving aggressively in this space. A variation on this is Software-as-a-Service (or SAAS) where a particular vendor lets you move his application and the associated data out of your data center and onto his machines for a fee. Moving your financials to Peachtree’s online application might be an example.

In either business model, there are some serious security and legal issues to think through before you decide to outsource your computing. For example:

1. Security – Are they able to keep your data separate from the data of all their other customers? Who else now has access to your confidential data?
2. eDiscovery – If you get sued and have to turn over your computer records, can they segregate them? Can they produce your records fast enough to keep the courts happy? And how much are they going to charge you for the privilege?
3. Privacy – What if the vendor gets a subpoena or request for your data? Will they fight it? Will they even tell you about it?
4. Records Retention – Hopefully, you have a carefully thought-out policy that makes sure all information is kept as long as it is needed (either by the business or by law) but no longer. Keeping information longer than you need it is, by definition, risk without reward. How will you ensure that the vendor lives up to your policy?
5. Privacy laws – Some of these vendors send data overseas. All of them send it outside your local jurisdiction. Is this contract going to get you in trouble with any processing, retention or transfer restrictions, such as those in the European Data Protection Directive? Worse, are you going to inherit those privacy obligations because your data is comingled with others?

Cloud computing can be a boon to small businesses that are growing rapidly and can’t yet afford a dedicated data center. But the cloud can also be a dangerous place. Don’t rush into the relationship without a lot of thought and consideration for the risks and for your mitigation strategy.

To me, the answer is simple. Yes, you are responsible for anything you write, whether you post it on Twitter, a personal blog or by regular mail. If your words would be libelous when published in the newspaper, they are equally libelous published online. (Of course, speaking the truth is the best defense against accusations of libel.)

The problem in my opinion is that being online gives some people an illusion of anonymity. (And, yes, it is an illusion – more on that in future posts.) This illusion encourages some to say things that they would never say in person. This is unacceptable to me. If you have something to say, stand up and be proud. Take all the credit – and all the blame – that your words deserve. Stand behind your words, whether you post them on Facebook or shout them from a soapbox in the village square.

In fairness, there are a few exceptions to that rule. Political dissent can be quite dangerous in some parts of the world. I am lucky enough to live in a country that explicitly protects political speech. Many in this world are not so blessed. True anonymity has a place in that arena and should be protected wherever and however possible. But short of the level of physical danger, you are responsible for what you say and should not expect otherwise.

Most other privacy “conundrums” are equally easy to solve if you fairly apply the old principles to the new environment. The differences are of degree and speed, not in the fundamental principles.

CIO magazine recently published an article on keeping email from ruining your vacation. The same basic principle applies. That is, if you write well-crafted, professional, on-topic emails, the people you talk with will start to write more professionally back to you.

The CIO article goes on with some other suggestions to take advantage of new technologies to help people either remember that you’re on vacation or to help themselves while you’re gone.

• Filesharing is good. Take the time during the year to set up better collaboration and it will pay dividends when you need some time away.
• Minimize constant email exchanges. They’re too transient and hard to file. They don’t create the institutional knowledge that a wiki or well-designed fileshare can. And if it’s a really complicated or sensitive issue, email may not be the best choice in the first place. Some things should be sorted out in person.
• If you can manage a wiki, they’re great tools.
• Updating your status on Facebook, Twitter or LinkedIn will let everyone know where you are but I really do not recommend it. The updates are helpful for your customers and friends but they also paint a big red target on your house while you’re gone. You’re advertising that your house is unattended and vulnerable.

Take some time up front so that you can really be on vacation.

He went on to describe some of the attacks that can be made against a Blackberry. For example, with the right set of instructions, the phone’s microphone can be turned on without it being obvious. Someone can listen in on your conversation right through your phone. For another example, the email server can be hacked or the cell phone transmissions intercepted.

All those arguments are entirely true. And they are real reasons for the President’s security team to be worried. After all, the President really does have nuclear secrets that he needs to protect. And there are all sorts of people who would love to break into his messages and who will devote immense resources to do so.

But the story was edited in a way that implied that Blackberrys are inherently insecure for the rest of us, too. Much as I like to think highly of my own self-importance, there just aren’t that many people out there who are attacking me and they certainly won’t be devoting the same kind of resources to breaking into my phone messages.

That said, you should always remember that Blackberrys run email and email is an inherently insecure system. (You can run an encrypted email program on top of regular email but PDAs don’t support that well today.) As a matter of general practice, never say anything in email that you wouldn’t want to see on the front page of the newspaper tomorrow.

The same goes for your cell phone conversations. They are a bit better protected than the SANS guy implied but there are still ways to intercept and decrypt them. Most importantly, most cell phone intercepts require the hacker to be physically close. For those of us who are not heads of state, this dramatically reduces the risk. But you still shouldn’t say anything on a cell phone that you wouldn’t say in public.

Lastly, you should keep up to date on PDA protections. There are some new viruses that target mobile phones. The major phone companies are starting to include anti-virus on their phones. If you have it, make sure you don’t turn it off. If you don’t have it, look for that capability when you next renew your phone contract. Keep using your Blackberry but use it safely.

Halloween is a time for scary stories – tales of vampires and ghouls rising from the dead to terrify innocents – a time when things that you thought were dead and buried come back to haunt you.

Unfortunately, the analogy between badly written email and the undead is sometimes all too appropriate. A hasty word can return to haunt you long after you hit the send button and thought the conversation was over. Careers have been destroyed, money lost and relationships ruined when an email returned from beyond.

Americans have a bad habit of treating email very casually – as an extension of our last phone conversation or a continuation of the chat in the hallway. We assume that the message is private and that recipient will understand the context and correctly interpret our tone.

In fact, email is more like a postcard – anyone can read it while it’s in transit^† and any of the recipients can save it, forward it or post it to the internet. Electronic copies can remain in archives and electronic message hubs all over the Internet – places that neither the sender nor the recipient can control. Emails can be subpoenaed and forced into the public record. You have no right of privacy in your email, either sent or received. When you write an email, you must assume that it will be read by an unknown and unforeseen audience.

That unknown audience will assume that you carefully crafted and wordsmithed your message (or, if not, that the hurried email is evidence of the writer’s “real state of mind”). They will not believe that you were “just joking” and won’t care that you were trying to dash off a quick note. They will interpret the tone according to their own preconceptions.

Always assume that anything you write will come out at the worst possible time and in the worst possible light. Be professional in your email. Include enough context that the unforeseen reader understands the message. Be personable yet professional in tone. (In particular, never use sarcasm in email.) Never write anything that you would be embarrassed to see on the front page of tomorrow’s newspaper.

Remember, email can come back to haunt you.

^† Footnote: The comment that “anyone can read [your email] while it’s in transit” is less true if you have email encryption with your business partners but your words can still be saved, forwarded or otherwise sent outside your control. Please don’t assume that email encryption will protect you from sloppy wording.

A while back, we wrote a tip about "how not to look like a phish". I’ve wanted to write the companion article about not accidentally tripping the spam filters for several years now. I resisted because the rapid change in spammer tactics makes any list obsolete even before it hits the page. It will also never be a definitive list – the anti-spam vendors are justifiably worried about giving the spammers a roadmap showing how to bypass their filters. Nevertheless, there are some general rules worth discussing.

• Your subject line is important. A blank subject line (or, worse, a subject line that is ambiguous and generic like "Hi" or "I love you") will almost certainly get your message tagged as spam. A good subject line is also a courtesy to your readers, helping them to more quickly prioritize their inboxes and give your email the attention it deserves.
• Mailing to lots of people at once will increase the odds of being tagged as spam. (This is a problem for the publishers of legitimate email newsletters with large distribution lists like, say, these tips.)
• Use a company-issued email address. Sending from a free email account like yahoo.com or gmail will increase the odds of getting tagged.
• Avoid common spam words like "cheap" and the V- word (rhymes with the famous waterfall). That sometimes means completely avoiding certain topics (which can be quite difficult, especially in a newsletter like this one where we are discussing spammer tactics) but more often means avoiding flowery, inflammatory or overly-promotional language. In particular, avoid all caps and multiple exclamation marks.
• Avoid images, fancy graphics and html code in your email. Hackers and spammers hide things in those glossy "enhancements". The simpler your message, the more likely it is to get through unmolested.
• SPELL-CHECK! Spammers are getting much better at the use of grammatically correct English but bad spelling is still a surprisingly good filter for spam.
• If you are sending a newsletter, always include your real contact information and a working set of “unsubscribe” instructions at the bottom of the message. This won’t actually help you get past the spam filters – too many spammers just include fraudulent unsubscribe options in their messages – but it is the law.
• Try to keep your message under two megabytes including embedded pictures and attachments. This isn’t strictly a spam-filtering rule but many mail servers use a 2 meg/message limit to keep any one message from tying up the lines.

Finally, if you don’t get an answer in a reasonable amount of time, follow up on your message. No matter what you do or how good the filters get, some false positives will always exists. The person might be ignoring you but it’s more likely that they never got the message.

The problem is that we’ve also told you as a reader to delete any message that appears suspicious or that asks you to click through some “convenient” link. The ‘envelope’ around a secured message looks a lot like a phish. (See “How it works” below.)

Here are some tips on telling the difference between a secure mail message and a spam or phish.

• In a legitimate message, you will still be able to read the subject line and the sender. If you are not expecting a message from that sender, be suspicious.
• Once you start working with a business partner who uses a secure mail system, all secure messages from that company should look basically the same. If the logo, the layout or the text look different, be suspicious.
• A legitimate message will take you to the sender’s website to verify your login. A phish will try to take you someplace else to steal your password. If the message alleges to come from someone at redcross.org but the link is trying to take you to yahoo.com, be suspicious.
  Reminder: The only part of the domain that matters is the part immediately before the top-level domain (.com, .org, etc). Ignore everything to the left or right of the dots. In the link voltage-pp-0000.westfieldgrp.com/mail/32/, only ‘westfieldgrp’ matters for verifying the legitimacy of the message. The rest is set up by the company’s IT department to point to specific places within the company’s domain.
• Legitimate messages are written by professionals. Scam messages want to panic you into acting without thinking and often use phrases like “URGENT” and “log in now or your account will be closed”. If the language seems inflammatory, be suspicious.

If you are suspicious, call the sender and confirm the message. Please do not just delete these messages, though. There’s a fair chance they are legitimate and you wouldn’t want to lose good messages.

How it works
There are several ways to put your message in the secure ‘envelope’.
One technique doesn’t actually put the content in email at all. What you really send is a placeholder saying “You have a message waiting. Please sign in at my website to read it.” The message content stays on the sender’s webserver and never actually travels by email. Some large financial and medical institutions use this kind of secure messaging.
The other way is to pull the content off the message, encrypt it and reattach it to the message. The content travels by email and but can’t be read except by someone who knows the password. (If you don’t already have a password set up, you will be asked to verify your identity and create one.)

A third technique is Transport Layer Security (TLS), a method that protects the message from one email server to another. This requires some setup between the two companies but is otherwise invisible to both the sender and the reader. These messages can’t be easily mistaken for a phish so we won’t discuss them in this tip.
An example of that second kind of ‘envelope’ – the encrypted attachment solution – is shown below.