Blind Carbon Copy (BCC) For Privacy

Large e-mail lists are often developed when sending out newsletters, bulletins, or daily announcements. If you send an e-mail to multiple people, a security best practice is to place all of the e-mail addresses on the Blind Carbon Copy (BCC) line of the message. Addresses on the BCC line are not visible to recipients of the e-mail, unlike addresses on the To: and Cc: lines which everyone can see. Everyone listed on the BCC line will receive a copy of the e-mail, but their e-mail address will remain invisible to other recipients of the message.

 

If a message is forwarded, addresses on the To: and Cc: lines are sent with the forwarded message, but addresses on the BCC line remain invisible and are not included with the forwarded message. If someone selects ‘Reply All’ in a message, the sender and everyone on the To: and Cc: lines receive the reply, but addresses on the BCC line do not receive the reply because they are not visible to the system. Of course, everyone on the BCC line is still able to reply to the sender of the message. In general when using BCC to send e-mail to large groups, put your own e-mail address on the To: since everyone will know the message is from you anyway.

 

Keep in mind that many people do not want their e-mail address and other personal information disclosed to someone that they do not know. Using BCC protects individual privacy by not disclosing the e-mail address of every person on a distribution list to every other person on the list. BCC helps to reduce Spam since BCC addresses cannot be seen and harvested by Spammers and BCC messages cannot not be used to develop lists of names of the employees of a company or members of an organization since, again, the names and e-mail addresses of the recipients are not visible.

It should also be noted that NIST Special Publication 800-122, "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)" lists e-mail addresses as one type of PII. The "OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002" (M-03-22, Attachment A. IIA.b.) also specifically identifies email addresses as PII.  You may have specific legal requirements to safeguard PII, especially if you send information to people in multiple businesses, organizations, or separate government agencies.

According to the U.S. Department of Labor, Personal Identifiable Information (PII) is defined as:

Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.

 

BCC helps to protects the privacy of individuals included in large e-mail groups. It also helps protect you (the sender) since someone who receives a copy of your e-mail is unable to see your entire distribution list. Note however that BCC e-mail addresses are visible to someone with access to the Exchange Server, so BCC does not hide e-mail addresses from your e-mail service provider. Additionally, when using encryption with BCC, the encryption system my expose BCC addresses.  In a Stanford University paper Correcting Privacy Violations in Blind-Carbon-Copy (BCC) Encrypted Email, the authors, "show that many widely deployed email encryption systems reveal the identities of Blind Carbon-Copy (BCC) recipients. For example, encrypted email sent using Microsoft Outlook completely exposes the identity of every BCC recipient. Additionally, several implementations of PGP expose the full name and email address of BCC recipients. Email messages should not reveal the identities of Blind-Carbon-Copy (BCC) recipients. We show that many widely deployed email encryption systems, however, reveal the identities of every BCC recipient to all email recipients and to anyone who examines the email message en route. In most cases, the BCC recipient’s identity is exposed by a unique identifier that also exists in publicly accessible databases on the Internet. In some cases, however, the full name and email address of a BCC recipient is included in the clear in the ciphertext of the encrypted email message... Conclusions: many encrypted email systems mishandle BCC recipients and violate privacy. The most severe violations are in implementations of S/MIME, including Outlook, Mail.app, and Thunderbird, where the identities of BCC recipients are completely exposed to anyone with a text editor."

 

Even though encryption can expose BCC addresses, I still recommend using BCC when sending e-mail to large groups of people. BCC protects you from accidental exposure of your e-mail distribution lists, and prevents multiple e-mail addresses from being displayed in printed copies of an e-mail. Also, most recipients of your e-mail messages are unlikely to be attempting to expose the BCC addressees of your message. So, BCC is still a useful security practice. 

 

If the BCC line is not visible when you open a new e-mail message: In an open message, on the Message Options or Options tab, in the Fields or Show Fields group, click Show Bcc or Bcc. (Applies To: Outlook 2016 Outlook 2013 Outlook 2010 Outlook 2007.)

 

Although BCC is not perfect, it is a simple technique to help improve security of your e-mail.  Consider using BCC the next time you send an e-mail to a large group of people.