Limited retention policies for email are user-hostile

January 18, 2015

I periodically see security people argue for policies and technology to limit the retention of email and other files, ie to enact policies like 'all email older than X days is automatically deleted for you'. Usually the reasons given are that this limits the damage done in a compromise (for example), as attackers can't copy things that have already been deleted. The problem with this is that limited retention periods are clearly user hostile.

The theory of limited retention policies is that people will manually save the small amount of email that they really need past the retention period. The reality is that many people can't pick out in advance all of the email that will be needed later or that will turn out to be important. This is a lesson I've learned over and over myself; many times I've fished email out of my brute force archive that I'd otherwise deleted because I had no idea I'd want it later. The inevitable result is that either people don't save email and then wind up wanting it or they over-save (up to and including 'everything') just in case.

Beyond that, such policies clearly force make-work on people in order to deal with them. Unless you adopt an 'archive everything' policy that you can automate, you're going to spend some amount of your time trying to sort out which email you need to save and then saving it off somewhere before it expires. This is time that you're not doing your actual job and taking care of your actual work. It would clearly be much less work to keep everything sitting around and not have to worry that some of your email will be vanishing out from underneath you.

The result is that a limited retention policy is a classical 'bad' security policy in most environments. It's a policy that wouldn't exist without security (or legal) concerns, it makes people's lives harder, and it actively invites people to get around it (in fact you're supposed to get around it to some extent, just not too much).

(I can think of less user hostile ways to deal with the underlying problem, but what you should do depends on what you think the problem is.)


Comments on this page:

You're entirely right that this is user hostile, but in my experience these policies are 98% legal, and 2% security.

By saying "We, by policy only save 6 months of email", you get to avoid a whole host of problems related to the legal discovery process. Someone comes back a year later and says they have some problem with their previous employer? "Oh, we don't have those records anymore, destroyed by policy, etc."

There's also the opposite example ISP's, for example, will only keep full fidelity logs of traffic and other data for a day or two, then keep summaries of traffic amounts, so as not to be subpoenaed into the legal process for their records.

On the flip side, you could be required to retain records for far longer than is practical - medical records are required by law to be kept for a very long time in the US - for example, a pediatrician in the US is required to keep the records of a newborn baby they see until that child is 28 years old. Unless the circumstances were very unusual, this has next to no medical benefit, and just provide a big paper trail for lawyers to dig through.

The lawyers are running the show here, at least from my perspective.

Written on 18 January 2015.
« Node.js is not for me (and why)
Why user-hostile policies are a bad thing and a mistake »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun Jan 18 03:15:14 2015
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.