Home | Profile | Services | Training | Hints | Staff | Contact | Links


Elm Place Logo Best viewed with any browser

The Dangers of CC

Think before publishing your friends' email addresses!

The providers of email programs, including those used for webmail, make it easy to send messages to more than one recipient - it's called Carbon Copy or CC for short.

What they don't say is that it's bad practice to use CC without thinking of the consequences, and that it's better to use Blind Carbon Copy (BCC) in most cases. And the same goes for multiple To: addressees.

The consequences of CC and of multiple To: addresses are that the email address of each To: and CC recipient is contained in the message that all the recipients receive. This isn't a worry if each recipient already has all the others' stored in his address book, or if they are all happy for their addresses to be made public. But if you don't have the explicit or implicit permission of the recipients to publish their addresses in this way, you are breaching their privacy.

But there's another danger. Address books and email messages are potential targets from which malicious people and organisations can harvest addresses and use them for criminal purposes such as the spread of dangerous programs such as computer viruses or as steps in Identity Theft. The inclusion of CC addresses and multiple To: addresses in messages makes such harvesting even more lucrative.

How do I avoid this peril?

It's easy. If you are sending a message to more than one person, don't use CC, and don't have more than one To: recipient. Use Blind Carbon Copy (BCC) instead. BCC stores all the addresses in the message you send and the email protocols use them for directing the messages, but BCC addresses are not delivered to anyone. And, while you're about it, use yourself or a dummy addressee as the only To: addressee. The sender's email address is always delivered, so you can't hide that.

The most secure arrangement is to put just one recipient (yourself or a dummy) in the To: list and put all the intended recipients in the BCC list. However, this may not always be the most practical approach because it defeats the Reply to All capability, so you must strike a balance between utility and security.

What about forwarding messages?

If in doubt, remove all the email addresses from messages you forward before you send them on. Be aware that email programs often hide email addresses behind "friendly" names so that you don't see the addresses although they are still present in the message. So you may need to remove the names instead. You should even remove the sender from the message you are forwarding unless you know he is happy to have his address passed on.

How do I stop recipients from using my CC'd addresses if they forward my messages?

You can't! Use BCC instead of CC and, to hide your address, use a dummy one for yourself. If you want recipients to know who else had a message you send, you'll need to have a second set of names and addresses in your Address Book with a dummy address for each. You can use the same dummy address for everybody if you like. Or, perhaps easier, just put their names into the body of you message.

Why should I bother with all this?

Well, first you should realise that email addresses are Personal Data and that divulging them carelessly is unlawful in most countries. But it's equally important not to make life easy for people who can use email addresses for criminal purposes.

Anything else?

Yes! Be careful when using Reply or Reply to All and adding new recipients. You may need to cut and paste some addressees into the BCC list.

It's a disgrace that the providers of email services and educators and books about Information Technology do not make clear how CC and multiple To: addresses can be abused.

Please feel free to pass on this address, www.elmplace.co.uk/CCDangers.htm as you see fit.