“We apologise for the previous apology” – NZ gov dept in email CC: double-blunder

When you send an email to a group of recipients who don’t already know each other, you use BCC:.

Don’t you?

Let us quickly revise why.

The users in the To: field (primary recipients) and the CC: field (secondary recipients) of an email get a copy of the message, including the headers To: and CC: themselves.

(CC means “carbon copy”, by analogy with old-school carbon paper.)

That means they can each see the names of all the other primary and secondary recipients.

For an email such as the minutes of a meeting, it’s often desirable to CC: all those who were present, since it means that everyone can see that everyone else got a copy of minutes.

The BCC: list (blind carbon copy), however, is not included in the email, so that:

  • The primary and secondary recipients don’t know that the BCC: recipients saw the email.
  • The BCC: recipients don’t know who else was BCCed.

For this, reason, BCCing emails that already have a small, closed circulation list is often considered slightly devious or underhand: the sort of thing you might do to curry secret favour with your boss, or to leak the minutes of an internal communication to an outsider.

On the other hand, CCing a mailing list where each user has signed up independently is considered unsatisfactory.

That’s because the mailing list database is supposed to be private, yet CCing everyone on the list publicises the whole list to everyone on it.

And CCing one customer’s email address to another, or a list of customers to a competitor, isn’t likely to make any of those customers very happy.

Even worse, of course, is that inappropriately CCing emails to an entire mailing list publicises the whole list to any spammer or scammer who gets hold of any of those emails.

And since emails frequently get forwarded, or saved on hard disks that later get scoured for email addresses by spam-sending malware, or uploaded onto online forums with all their content intact, CCed lists of email addresses aren’t just a security irrelevancy.

→ It might not sound too serious to CC an email to 20, 50 or 100 people who don’t already know one another, but even if nothing deleterious happens as a direct result, it’s a bad look for the sender.

So we had to smile (wryly, of course) when Naked Security reader hotdoge3 pointed us at a story from New Zealand in which a government department made a carbon-copy blunder by sending a “thanks for submitting your comment” email via CC to everyone who had submitted a comment via its website.

Assuming that the submissions were supposed to be anonymous, or at least private and individual, that’s a mistake that really ought to have been avoided.

Thankfully, with only 150 people allegedly on the CC: list in the first place, the scale of the leakage was small.

But the story took an amusing twist when the Ministry for the Environment followed up with an “our fault, really sorry about that” email that was itself CCed to everyone.

And this, in turn, prompted a third email (apparently avoiding yet another round of recursion by correctly using BCC:, not CC:) to apologise, in a way that would have made Monty Python proud, for the previous apology.

The lessons to be learned are:

  • The To: and CC: headers are revealed to every recipient.
  • The BCC: header is not.
  • Don’t put multiple recipients in CC: unless you intend them to see each others’ addresses.
  • Leaking email address lists via CC: helps spammers and scammers, even if only slightly.
  • CCing customers’ email addresses to other customers is unlikely to make a good security impression.
  • Think before you send, and if in doubt, use BCC: .