A question of ethics: deleting emails from user mailboxes

Mail platforms sometimes offer ways for administrators to remove messages from the mailboxes of other users, and there are ethical considerations when doing so.  This post is the start of a mini-series about ethics in ICT / computing / digital life and I'll start with a quote:

With great power comes great responsibility

The exact origin of that quote is unknown but it's often attributed to Uncle Ben in the Spiderman comics.  Regardless of who said it, the quote holds true.  Thinking about the role of a system administrator, we often have vast powers over a system - can delete users, change files, alter logs - but how we use those privileges is important.

Consider this post's title, deleting emails from user mailboxes.  There are a few scenarios where this could happen and I'd suggest the scenario very much changes our perception of right and wrong.  I'll look at a few examples but will first explain the ways this can be done.

Microsoft Exchange: message recall

Anyone that's been around business email for a while has probably come across a message that says "Fred Bloggs attempted to recall this message", "this message has been recalled", or words to that effect.  Microsoft Exchange allows a user to attempt to undo sending a message by recalling it.  The important point to note here is that only unread copies of the message are deleted.  If a recipient has already read the fated message then the sender is out of luck.

This is similar to writing a note, placing it on someone's desk while they're out and then removing the note before they get back.  As they haven't read the note they won't know that it was ever left so there's no harm done and I don't see a problem with this.  As someone who can be quick to anger I can appreciate the ability to take back something said in the heat of a moment.

Message recall doesn't work outside the organisation either, so sending a snotty email to a supplier and then trying to recall it is a wasted venture.

Google mail: undo sending

Similar to message recall in Exchange, "undo sending" actually works by delaying email sending for 30 seconds.  I'm not going to say much about this as it never reached the recipient, but include it for completeness.

Gmail: delete emails with GAM

Jay0lee's GAM tool uses the GSuite Application Programming Interface (API) to perform a multitude of tasks, and it's a very handy tool for administering a GSuite domain.  In this case we're interested in the delete messages command which, as the name suggests, deletes messages.  This can be performed on all users and just requires relevant GSuite permissions and the message ID (details here).

From a forensics perspective it's important to note that as of the time of writing (May 2019), this particular GAM action (along with some others) is not recorded in any way.  I've even confirmed that with Google.  That means an administrator could remove the email and no-one could prove that had happened.

Exchange: Search-Mailbox -DeleteContent

This Exchange Management Shell cmdlet searches for a message and deletes any message meeting the search criteria, and there's a nice tutorial on CodeTwo.com.  I've not been able to experiment with this feature, but I suspect whether or not the action is logged will depend on the Exchange logging level that's set.

Google / Exchange / Others: just login as the user

Not quick or automated, but if absolutely necessary the administrator could just reset the user's password and login as them, removing the email.

When might this happen?

As I mentioned, the situation is likely to determine whether people think an action is justified.   For example, in the event a malware attack has taken place and emails have been sent by the attacker to help spread the malicious code, I would have very few reservations about deleting the email en masse.  Nonetheless, I'd probably still send an email to the effected users letting them know and warning them to be on their guard.

It's also possible that someone has maliciously sent a message to the whole organisation, perhaps in a manner that would be considered bullying.  Think of a rejected lover circulating explicit pictures of their ex to every employee.  Personally I wouldn't consider a mass deletion of that email a problem as it protects the dignity of the individual, isn't everyone else's business anyway and isn't business related.  Quite likely it's against the law (revenge porn for example) and against the organisation's email policy.

Another fairly regular occurrence is when an email is accidentally sent to the wrong recipient or a message is sent in error.  Most people that I've seen do this simply follow the message up with a "apologies, please ignore my email" type message but depending on the message content it might be appropriate to request a deletion.  This is much more of a problem for me: what happens if the email has been read?  Should ICT really be correcting someone else's mistake, rather than requiring them to learn the lesson of check your recipients?  Are we in fact using ICT to fix a people problem?

For me, a big factor is whether or not the deletion was logged.  Clearly logging the full message content would be self-defeating, but I'm a firm believer that a log entry should exist to show a system administrator deleted a message, preferably with details of the date, time, and sender of the message along with the recipients it was deleted from.

Why is logging important here?  Firstly, the log protects against rogue administrators - if you know there's a chance you'll get caught you're less likely to do something wrong.  Just ask a teenage boy[1] what he'd do if he could be invisible for a day!  Logging also means that a forensic analyst, or investigating administrator, can show that an action took place.  This is particularly important for incident response or in disciplinary cases where the positive indicator of an action could determine the outcome of the investigation.

Also consider what happens when the delete action is not logged (as in the GAM tool at least).  If someone has built a disciplinary case (or defence) based on the emails they hold, a suitably[2] empowered opponent could remove supporting evidence (incriminating or otherwise) and that's a very dangerous position.  Because that action was not logged there's no way for the other side to prove tampering took place short of extensive forensics.  In cloud hosted mail environments forensics can be very hard, if possible at all.

As a mitigating control I'd recommend all ICT departments implement a policy covering the following things:

• Who is authorised to request the deletion of emails from someone else's mailbox?
• Under what circumstances will a deletion be entertained?
• The formal process for requesting deletion (this should not be by a phone call or conversation, there needs to be an audit trail)
• How the policy will be overseen / enforced

It should go without saying, but obviously that authorisation cannot come by email (someone could just remotely delete it afterwards).  Having multiple persons approving the deletion request would certainly seem appropriate.

Conclusion

As with all things, deleting emails from someone else's mailbox should be carefully considered and there needs to be a balance.  "Because I can" shouldn't be the answer, instead thought should be given to if a deletion is the right thing to do.  Who is the deletion really serving?  If it's just a case of saving yourself some face then, personally, I'd say you'll grow more as a person by admitting your mistake and handling it well.  Life doesn't have a control zed ... [3]

Banner image a word cloud based on some words that sprang to mind.

[1] I've only been a teenage boy (not a teenage girl) so can only speak from experience.  Often the answer would be "I'll watch attractive girls getting changed", hormones!  In the interests of equal opportunities please substitute whatever age and gender works based on your experience.

[2] Suitably as in sufficiently empowered, not necessarily appropriately empowered.

[3] CTRL+Z (control zed) - keyboard shortcut for undo.