Outlook/Exchange and "Read Receipt" : privacy ?

Andre Earl Paquet Andre.Earl.Paquet at UMontreal.CA
Fri Sep 20 20:15:25 GMT 2002


Hi,

     I would like to have the opinion of the readers of this list
about what seems to me as a privacy problem with the "Read
Receipt" feature of Outlook under Exchange.

     a) my University has decided to make Exchange (and Outlook)
        our official email platform. For now, it is just for
        the employees (including teachers), but sooner or later,
        the students will go this way. The service is being
        deployed with Exchange 2000.

        Note : please, no flame about the choice in itself. It's
               not my choice either, but I have to live with it.

     b) I was recently informed about the "Read Receipt" feature
        (along with the "Delivery Receipt" feature) of Outlook,
        under Exchange.

        I have privacy concerns about the "Read Receipt" feature.

        Here is how it goes : an Outlook user (the sender) may
        request to receive (from Exchange) a "Read Receipt"
        when the destination user reads the message. The
        destination user has no way to decide (and to enforce)
        that he/she does not wish anybody to know when he reads
        (or does not read) this or that message. I am told, this
        is only configurable globally for the Exchange site,
        and not individually.

        Also, I am told that this confirmation is also sent to
        whoever has requested it, even if the sender is outside
        the Exchange domain.

     c) Please correct me, if I don't get it technically.

     d) If all this is true, it seems intolerable to me, from
        a privacy standpoint. I have already received complaints
        from people considering that what message they read or
        don't read is their own business. I agree with those
        complaints.

        Some people tell me that it is not worse that registered
        mail. I disagree because :
              -registered mail is not free so it generally isn't
               used frivolously;
              -anybody in a household can sign to accept
               registered mail : so it is not a proof that
               is was read.

     So, I would like to have your opinion : do you think a
"Read Receipt" is an acceptable feature in a University ?
What do you do yourself (if you are in the same situation) ?

Thank you,

--

 Andre Earl Paquet (CISSP)
 Officier de securite informatique / Security Officer
 Universite de Montreal, D.G.T.I.C.
 Immeuble Principal
 Case Postale 6128, Succursale Centre-Ville
 Montreal, QC
 Canada  H3C 3J7

 tel.  : (514) 343-6111 ext 5205
 fax   : (514) 343-2155
 email : Andre.Earl.Paquet at UMontreal.CA
         securite at UMontreal.CA



More information about the unisog mailing list