[unisog] Outlook/Exchange and "Read Receipt" : privacy ?

Arnold, Jamie harnold at binghamton.edu
Sat Sep 21 01:57:02 GMT 2002

The read receipt option is not a global one.  It can be set individually, on
the client.

Outlook 2002:

Email Options
Tracking Options


-----Original Message-----
From: Andre Earl Paquet [mailto:Andre.Earl.Paquet at UMontreal.CA] 
Sent: Friday, September 20, 2002 4:15 PM
To: unisog at sans.org
Subject: [unisog] Outlook/Exchange and "Read Receipt" : privacy ?


     I would like to have the opinion of the readers of this list about what
seems to me as a privacy problem with the "Read Receipt" feature of Outlook
under Exchange.

     a) my University has decided to make Exchange (and Outlook)
        our official email platform. For now, it is just for
        the employees (including teachers), but sooner or later,
        the students will go this way. The service is being
        deployed with Exchange 2000.

        Note : please, no flame about the choice in itself. It's
               not my choice either, but I have to live with it.

     b) I was recently informed about the "Read Receipt" feature
        (along with the "Delivery Receipt" feature) of Outlook,
        under Exchange.

        I have privacy concerns about the "Read Receipt" feature.

        Here is how it goes : an Outlook user (the sender) may
        request to receive (from Exchange) a "Read Receipt"
        when the destination user reads the message. The
        destination user has no way to decide (and to enforce)
        that he/she does not wish anybody to know when he reads
        (or does not read) this or that message. I am told, this
        is only configurable globally for the Exchange site,
        and not individually.

        Also, I am told that this confirmation is also sent to
        whoever has requested it, even if the sender is outside
        the Exchange domain.

     c) Please correct me, if I don't get it technically.

     d) If all this is true, it seems intolerable to me, from
        a privacy standpoint. I have already received complaints
        from people considering that what message they read or
        don't read is their own business. I agree with those

        Some people tell me that it is not worse that registered
        mail. I disagree because :
              -registered mail is not free so it generally isn't
               used frivolously;
              -anybody in a household can sign to accept
               registered mail : so it is not a proof that
               is was read.

     So, I would like to have your opinion : do you think a "Read Receipt"
is an acceptable feature in a University ? What do you do yourself (if you
are in the same situation) ?

Thank you,


 Andre Earl Paquet (CISSP)
 Officier de securite informatique / Security Officer  Universite de
Montreal, D.G.T.I.C.  Immeuble Principal  Case Postale 6128, Succursale
Centre-Ville  Montreal, QC  Canada  H3C 3J7

 tel.  : (514) 343-6111 ext 5205
 fax   : (514) 343-2155
 email : Andre.Earl.Paquet at UMontreal.CA
         securite at UMontreal.CA

More information about the unisog mailing list