"We apologise for the previous apology" - NZ gov dept in email CC: double-blunder

Filed Under: Featured, Spam

When you send an email to a group of recipients who don't already know each other, you use BCC:.

Don't you?

Let us quickly revise why.

The users in the To: field (primary recipients) and the CC: field (secondary recipients) of an email get a copy of the message, including the headers To: and CC: themselves.

(CC means "carbon copy", by analogy with old-school carbon paper.)

That means they can each see the names of all the other primary and secondary recipients.

For an email such as the minutes of a meeting, it's often desirable to CC: all those who were present, since it means that everyone can see that everyone else got a copy of minutes.

The BCC: list (blind carbon copy), however, is not included in the email, so that:

  • The primary and secondary recipients don't know that the BCC: recipients saw the email.
  • The BCC: recipients don't know who else was BCCed.

For this, reason, BCCing emails that already have a small, closed circulation list is often considered slightly devious or underhand: the sort of thing you might do to curry secret favour with your boss, or to leak the minutes of an internal communication to an outsider.

On the other hand, CCing a mailing list where each user has signed up independently is considered unsatisfactory.

That's because the mailing list database is supposed to be private, yet CCing everyone on the list publicises the whole list to everyone on it.

And CCing one customer's email address to another, or a list of customers to a competitor, isn't likely to make any of those customers very happy.

Even worse, of course, is that inappropriately CCing emails to an entire mailing list publicises the whole list to any spammer or scammer who gets hold of any of those emails.

And since emails frequently get forwarded, or saved on hard disks that later get scoured for email addresses by spam-sending malware, or uploaded onto online forums with all their content intact, CCed lists of email addresses aren't just a security irrelevancy.

→ It might not sound too serious to CC an email to 20, 50 or 100 people who don't already know one another, but even if nothing deleterious happens as a direct result, it's a bad look for the sender.

So we had to smile (wryly, of course) when Naked Security reader hotdoge3 pointed us at a story from New Zealand in which a government department made a carbon-copy blunder by sending a "thanks for submitting your comment" email via CC to everyone who had submitted a comment via its website.

Assuming that the submissions were supposed to be anonymous, or at least private and individual, that's a mistake that really ought to have been avoided.

Thankfully, with only 150 people allegedly on the CC: list in the first place, the scale of the leakage was small.

But the story took an amusing twist when the Ministry for the Environment followed up with an "our fault, really sorry about that" email that was itself CCed to everyone.

And this, in turn, prompted a third email (apparently avoiding yet another round of recursion by correctly using BCC:, not CC:) to apologise, in a way that would have made Monty Python proud, for the previous apology.

The lessons to be learned are:

  • The To: and CC: headers are revealed to every recipient.
  • The BCC: header is not.
  • Don't put multiple recipients in CC: unless you intend them to see each others' addresses.
  • Leaking email address lists via CC: helps spammers and scammers, even if only slightly.
  • CCing customers' email addresses to other customers is unlikely to make a good security impression.
  • Think before you send, and if in doubt, use BCC: .

, , , , , ,

You might like

11 Responses to "We apologise for the previous apology" - NZ gov dept in email CC: double-blunder

  1. what next? · 383 days ago

    It is unfortunately a case of "But wait, there's more!", from NZ government departments...
    http://www.nbr.co.nz/article/privacy-commissioner... http://www.nbr.co.nz/article/brownlee-shuts-eqc-e...

  2. John H · 383 days ago

    I made this mistake once. I made up a joke before the days of facebook and wanted to share it with my email list. I sent it out and a couple of people started arguing about something completely off topic. They went back and forth over and over, always hitting <reply all> each time. So my brother, my priest, and my dentist were just a few of the folks that let me know what a mistake that was.

  3. Sue · 383 days ago

    Just an FYI..CC: means COURTESY copy...

    From a former secretary

    • Paul Ducklin · 382 days ago

      From RFC 5322, the official Internet Engineering Task Force document about email, entitled "Internet Message Format":

      ---cut here---
      The "Cc:" field (where the "Cc" means "Carbon Copy" in the sense of making a copy on a typewriter using carbon paper) contains the addresses of others who are to receive the message, though the content of the message may not be directed at them.

      The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains addresses of recipients of the message whose addresses are not to be revealed to other recipients of the message.
      ---cut here---

      The full document is at http://www.rfc-editor.org/rfc/rfc5322.txt

      • Dave · 380 days ago

        Love it when someone corrects you, and you provide solid evidence to the contrary. For some reason it really makes my day (-:

  4. kzm · 383 days ago

    An additional criterion in deciding whether to put an addressee in the CC: (or BCC: field) is whether (or not) you want that addressee to receive any subsequent reply to that message.

  5. Ugh. The Royal Mail (UK mail service) do this all the time when contacting our company (UK mailing house). It drives me nuts and I have informed the person who sends the email to use about the CC and BCC rules, but it never sinks in. I think the worst case was when they CC'd just under 80 other companies into the same email.

  6. Roger · 382 days ago

    I tried in vain, indeed, I pleaded with my friends, to get the mass-mailing ones to use BCC to me after my second e-mail address, like the first started getting spam, but to no avail. I don't get much spam on my now third address, but I shouldn't get any at all. Funny thing is, even intelligent friends (all my friends are intelligent, by the way!) persist in sending mass mailing with names and addresses for all and sundry to see and harvest. They obviously think that as they're mailing friends, it's as secure as the Bank of Cyprus, despite having been told. Bah!!

  7. Mike · 382 days ago

    The "previous" mistake was sending out a email to an external person by mistake, with a excel spreadsheet of details containing estimated repair costs and details on 80,000 people affected by the Christchurch (New Zealand) earthquake.... oops.

    The Minister then leapt into action before easter & shut down ALL EQC external communications. Email / Website & business to business comms. Which seems a little extreme. A few techs have no doubt been busy over the long easter weekend putting in a few firewall or email rules..... we shall see if it works tomorrow.
    (keep your eye on http://www.eqc.govt.nz )

    This is almost as much fun as the yahoo / Telecom New Zealand email security exploit blunder that affected a lot of xtra.co.nz and yahoo users last month. (You missed covering that one Paul !)

    • Paul Ducklin · 382 days ago

      Indeed.

      The thing that caught my eye particularly about this one, being a Python fan, was the "we apology for the previous apology" angle.

      Thought it would be a light-hearted way to issue a useful "weekend reminder" :-)

      As previous commenters seem to suggest, it's a lesson that many of us still need to learn - especially the thought that BCC only really applies if you have a full-on mailing list of recipients. BCC is appropriate *even if there are only two recipients* whose addresses ought not to be cross-shared...

  8. 4caster · 380 days ago

    I like to know who has also received an email sent to me, so that I can exclude such people before forwarding it to my other contacts. No-one likes receiving the same email two or three times.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog