NASA OIG's Odd Email Warnings
Keith’s note: I just got this email from the NASA OIG:
The NASA Office of Inspector General (OIG) today released its Semiannual Report to Congress highlighting the OIG’s activities and accomplishments from April 1 -September 30, 2012. View the full report and video summary at: http://oig.nasa.gov/SAR/sar0912.pdf and http://oig.nasa.gov/Video/OIGPaulMartin_SAR_10-26-12.html
Renee N. Juhans
Executive Officer
NASA Office of Inspector General
! WARNING ! This email including any attachments is intended only for authorized recipients. Recipients may only forward this information as authorized. This email may contain non-public information that is “Law Enforcement Sensitive,” “Sensitive but Unclassified,” or otherwise subject to the Privacy Act and/or legal and other applicable privileges that restrict release without appropriate legal authority and clearance. Accordingly, the use, dissemination, distribution or reproduction of this information to or by unauthorized or unintended recipients, including but not limited to non-NASA recipients, may be unlawful.
Did anyone stop and think about adding this legal language to emails sent to the media – or the public? How am I supposed to interpret the scary and somewhat threatening warning? Seriously. Am I an “authorized recipient”? If so when did I become one? Who are “unauthorized or unintended recipients”? I am going to post this on a website read globally by people I will never be able to identify. I did not agree to these security issues – indeed, this email was sent to me unsolicited. The warning also says “may contain …” Well, does it or doesn’t it – how am I supposed to know? Can the sender change their mind after it is sent?
This is how email disclaimers are done, and the general best practice methodology is to attach any potential disclaimers to all emails without exception. I don’t send a single email from my work account without an IRS Circular 230 disclaimer attached (which, to summarize a wordy disclaimer, basically warns against using anything in the email as the basis for taking a position on a tax return unless such use is specifically authorized and intended by the sender) and an attorney/client privilege warning attached, whether it’s actual legal advice or an email asking someone to go to a concert.
Legally, all I’m required to do is make you aware that the content of the email may be subject to certain legal rules/provisions. I don’t have to specify what, specifically, in the email is or isn’t protected, so long as you’re given notice that it may be protected. The burden falls on you to determine what, if anything, in the email can be relied upon or disclosed without busting the attorney/client privilege.
There is some question, legally, how far boilerplate like this can go in protecting the sender or recipient from liability, but so far this is still the accepted way to give notice.
No one else at NASA has this disclaimer on their email.
No one else at NASA is an office full of attorneys whose job it is to be keenly aware of these sorts of requirements, though.
That said its a stupid thing to do – if nothing else it makes the media more suspicious of NASA.
It sounds like press releases will have to contain an official authorisation to republish.
ITAR strikes again.
No one else at NASA is an office full of attorneys whose job it is to be keenly aware of these sorts of requirements, though.
And that should give them at least one thing to be thankful for this Thursday.
“general best practice methodology is to attach any potential disclaimers to all emails without exception”
No lawyer or legal professional I’ve ever talked to (and I am always asking) has ever advocated that these disclaimers have any use whatsoever. These boilerplates are meaningless, period. To be blunt, any lawyer that has an email disclaimer at the bottom of their email is not one lawyer I’d hire.
For more opinion on the subject, may I suggest: http://lawyerist.com/email-…
Keith,
For whatever it’s worth, it has been my experience with big companies (not NASA or any other government agencies) that the disclaimer is often tacked on by the mail system at send time and is not part of the originator’s email template, even though that seems pretty dumb.So, if you’ve never had anyone “reply” to one of your emails (so that you see a copy of the original), you’d never know there was anything being added. I have talked to people who didn’t know that anything was added to their emails by the system, and people who knew a disclaimer was added but couldn’t tell you what it said to save their lives.However, the most common situation, in my experience, is that people know it’s there, but they’re so used to seeing it that they simply don’t think about what it says, or what it implies, and just ignore the fact that they’re sending it with their messages. Objectively, this is certainly not a good thing, but it is human nature. As a result of the same human nature, I suspect that most people don’t read a disclaimer anyhow, or give any thought to it, even though they know it’s there, so the whole concept needs to be rethought.Steve
They send these odd emails to the media …
The irregularity and the timing of these sorts of communications to the media makes me wonder if someone in the OIG decides to send them selectively for a reason, or if they simply have a monthly quota to meet, and those times when they need to scramble to meet the quota you get copied based on the keyword NASA. Although that’s only WAG speculation on my part, it would help explain why they don’t send you the memos which you don’t get.
I can also imagine simple software cross-referencing mailing lists with keywords to decide what gets forwarded to whom. Not a very effective method, but it is very efficient, right in line with OIG style.
Steve
Posting a blanket warning is not best practice. What that does is train everyone to ignore it. If you don’t want the whole world to see it, don’t send it out.
The sender should identify information that really is sensitive. But no one knows what’s actually sensitive, or wants to bother figuring it out.
Like so any NASA requirements, this was implemented with no thought to either practical value (none, since anyone who sends sensitive info unencrypted by ordinary email is already violating NASA rules and anyone who really wants to spread sensitive information will do so). No thought given to cost of compliance. What is the total cost to NASA of all these people spending time reading this notice with every email?
Glad you are calling attention to this, and not just for NASA’s version but for all of those from large companies out there. With all of those unanswered questions, maybe we should start forwarding all emails with these things on them to the company’s legal department for clarification (and revenge).