Friday, July 20, 2007


False positives can be costly

A recent article in Computerworld tells us about a case in which a Spam filter costs lawyers their day in court:

On the morning of May 21, Rea dialed up the spam settings on the Barracuda Spam Firewall 200 that Azar & Associates was using to block unwanted mail. The changes made it harder for spam to land on the desktops of company employees, but they also had one unforeseen consequence: The Barracuda Networks Inc. appliance began blocking e-mail from the U.S. District Court for the District of Colorado, including a notice advising company lawyers of a May 30 hearing in a civil lawsuit.

Azar & Associates lawyers blew their court date, and this week the judge overseeing the matter ordered the company to pay attorney fees and expenses incurred by the lawyers who showed up representing the other side of the case.

It's a problem we all worry about: a false positive that catches a key piece of email, and that results in lost business or worse. I'm not a lawyer, obviously, but I think it'd be very strange if a judge decided a case against you because of this, at least the first time. But monetary loss? Yes, sure. Why should the other attorneys foot the bill for your spam filter's error?

One lawyer is quoted in the article as saying, “It doesn't take a very high percentage of false positives in the antispam world to misidentify a crucial piece of correspondence.” Indeed, it doesn't.

The article suggests that white-listing the court's email domain is the answer, but that's too simplistic.

  1. There's no a priori way for law firms to know what domains they might expect mail from. Should it be their responsibility to chase them all down in advance and manually add them to a white list?
  2. Experience shows that legitimate senders are anything but rigorous in assuring that their mail is only sent from their “official” domains; variations abound, use of contractors is common, and the contractors' domains are often exposed when they shouldn't be.
  3. There's no guarantee that mail appearing to come from the court's domain really did. Anyone looking to send spam to lawyers would do well to spoof a court's domain, so the legitimate mail can still get lost in the mess.

Sender verification mechanisms such as DKIM can certainly help with item 3, but not with items 1 or 2 — the management of the white lists is still a manual and error-prone process, and the consequences of missing a domain are serious. Reputation and accreditation services can help there, and they are developing. But it's still always possible that a sub-optimal practice on the court's part will result in missed mail at the law office.

The right answer in this case is to do one of two things:

  1. Use fully signed email (using S/MIME) for this. When a law firm is first connected to a case, the court provides it with a certificate that will identify all email associated with the case. Ideally, the law firm would provide the court with a certificate too, and all correspondence between the court and the law firm would not only be signed but would be encrypted as well. Or...
  2. Don't use the open email system for this at all. Set up an alternative electronic mechanism that the law firm would know to use to look for updates on its cases. A web site that they would check would work fine. In an ideal world, all courts would coordinate things through one web site, so there'd only be one place they'd have to check. If the web sites all supported Atom feeds, multiple web sites wouldn't be too bad.

Unfortunately, neither of these really solves my complaint number 1 above — they only make it more obvious that something must manually be done. The problem with the default situation, as described in the article, is that it was too easy to miss the fact that email might be coming from, or whatever, and that something had to be done to protect it.


scouter573 said...

OK, let's assume you get the email successfully delivered to the law office. How does the judge know that it is valid? "Oh, gosh, your honor. I'm late because the email I received said the 25th, not the 15th. So it's not my fault that I was late." How does one prove that the message arrived intact? Remained intact on the destination machine(s)?

And how does one even consider email to be a legally binding notification? I thought that required some sort of audit trail (e.g., such that the postal service or package delivery service could provide). I don't see a trustworthy email delivery system, just a bunch of nominally cooperating servers run by unknown organizations.

Signed email? Sure - but who is the signature authority?

I'm a computer weenie, but on this topic, I still like getting notifications on paper.


Barry Leiba said...

Right... that's why I suggested that the real answer is a dedicated application, rather than the open email system. Signed/encrypted email with return receipts would do most of it, but as I've said before, and as Andy points out here, that's hard to get working right even for computer weenies.

And, of course, yes... paper is still a good option. I'll point out, though, that paper notifications can still go missing, either en route or after delivery. There's something nice about having electronic versions, with backups and automated reminders.