[unisog] Outlook/Exchange and "Read Receipt" : privacy ?
harnold at binghamton.edu
Sat Sep 21 01:57:02 GMT 2002
The read receipt option is not a global one. It can be set individually, on
From: Andre Earl Paquet [mailto:Andre.Earl.Paquet at UMontreal.CA]
Sent: Friday, September 20, 2002 4:15 PM
To: unisog at sans.org
Subject: [unisog] Outlook/Exchange and "Read Receipt" : privacy ?
I would like to have the opinion of the readers of this list about what
seems to me as a privacy problem with the "Read Receipt" feature of Outlook
a) my University has decided to make Exchange (and Outlook)
our official email platform. For now, it is just for
the employees (including teachers), but sooner or later,
the students will go this way. The service is being
deployed with Exchange 2000.
Note : please, no flame about the choice in itself. It's
not my choice either, but I have to live with it.
b) I was recently informed about the "Read Receipt" feature
(along with the "Delivery Receipt" feature) of Outlook,
I have privacy concerns about the "Read Receipt" feature.
Here is how it goes : an Outlook user (the sender) may
request to receive (from Exchange) a "Read Receipt"
when the destination user reads the message. The
destination user has no way to decide (and to enforce)
that he/she does not wish anybody to know when he reads
(or does not read) this or that message. I am told, this
is only configurable globally for the Exchange site,
and not individually.
Also, I am told that this confirmation is also sent to
whoever has requested it, even if the sender is outside
the Exchange domain.
c) Please correct me, if I don't get it technically.
d) If all this is true, it seems intolerable to me, from
a privacy standpoint. I have already received complaints
from people considering that what message they read or
don't read is their own business. I agree with those
Some people tell me that it is not worse that registered
mail. I disagree because :
-registered mail is not free so it generally isn't
-anybody in a household can sign to accept
registered mail : so it is not a proof that
is was read.
So, I would like to have your opinion : do you think a "Read Receipt"
is an acceptable feature in a University ? What do you do yourself (if you
are in the same situation) ?
Andre Earl Paquet (CISSP)
Officier de securite informatique / Security Officer Universite de
Montreal, D.G.T.I.C. Immeuble Principal Case Postale 6128, Succursale
Centre-Ville Montreal, QC Canada H3C 3J7
tel. : (514) 343-6111 ext 5205
fax : (514) 343-2155
email : Andre.Earl.Paquet at UMontreal.CA
securite at UMontreal.CA
More information about the unisog