So looking at planetlotus.org today I noticed a blog entry entitled Save as EML in Notes 8.5.2 Can’t be Disabled? and I’m confused as to why this is really a problem. I logged into Bleedyellow to write a comment but for some reason comments are disabled on that blog so here is what I would have said in my response.
In the blog entry it is stated that “US-based companies subject to the Federal Rules of Civil Procedure and the vexing and huge costs of email ediscovery in civil matters, would have the scope increase for email searches to many other places, which will add much more cost.”. If this is the case then you need to seriously reevaluate your email eDiscovery system because the only way to ensure that eDiscovery is 100% successful is to capture all emails before they hit the users inbox, either through an addin task on the server or even using the built-in Domino Journal feature. Once the email has been captured by the server you have a record of that email no matter what the end user does. They can delete it, they can edit it, they can copy/paste the test to somewhere else and now, with 8.5.2, they can export it an an eml file.
When your legal department needs to do an eDiscovery search of emails they do the search on the emails that were captured by the server. It is a single place for them to look at all emails and be safe in the knowledge that all the emails to ever go through the server are there and unaltered.
if your eDiscovery system is capturing emails AFTER they have hit the users inbox then there is no way to guarantee that the emails haven’t been deleted or altered. Any legal search of emails in such a system would not generate valid results.
The case for having the ability to be able to disable the export to eml function in Domino is, in my opinion, null and void. Legal departments shouldn’t have to care about what happened to an email after the user has received it as long as they have proper records of the emails when the user received it.
Dec's Dom Blog 
I tried to comment too and emailed a suggestion that one can configure a A/V policy to block *.eml on the filesystem (silently or with an obnoxious alert message).
LikeLike
I also don’t understand how it’s any different than cut and paste or export.
The feature has been in Outlook for several years and I’ve never heard this concern leveled about it before.
LikeLike
Good point Declan. If the email is so sensitive that the company doesn’t want to be able to use file-save as, then the user shouldn’t even be able to view the email. Unless, of course, the company has disabled the use of the print screen button on the keyboard along with removing mspaint from all of the workstations. Not to mention that the user could use File > Print to print it out (possibly to even print it out to a PDF). There are far too many ways to capture the contents of that email. Even copy-paste into Word. So IBM adding a much simpler way to do this is NOT a big deal and it’s NOT a reason to prevent someone from upgrading to 8.5.2.
That being said, IBM should probably look into allowing this to be configurable. IBM does have a habit of introducing new features without allowing Admins to disable them completely. The problem here is that drag-and-drop to .eml is configurable but not File > Save As > eml. We should be able to disable that. But in this specific case it really shouldn’t be that big of a deal.
LikeLike
I wrote a Blog about this a week or so ago and do understand Dan’s concern.
LikeLike
Denny, as I said, you can disable the drag-and-drop but you can’t disable File > Save As (not that I can find at least…)
LikeLike
I’ve got two words for you guys: Prevent Copying.
You can find this on the Delivery Options dialog in a new mail. Setting the Prevent Copying flag add the internal item $KeepPrivate to the message, which then prevent copying the message to the clipboard, forwarding it, printing it, or exporting it.
However the drag-to-EML process does NOT honor this flag. So you can get an EML export of a message that has been explicitly set not to export. In my opinion, that’s the real problem. The EML process itself is a bypass on a confidentiality control that Notes has had since R6.
Make it honor that setting, and all the above arguments become true.
As far as the eDiscovery process goes, I think Declan’s thinking like an engineer instead of a lawyer. The real discovery concern is the following scenario…
1) Our company is subject to federal rules for discovery.
2) We don’t like that, because if we’re being sued, we’d prefer to do as little as possible to help our opposition.
3) Therefore, we want to retain whatever information is necessary to be compliant with the rule AND NO MORE.
4) If we happened to retain more information than we were legally required to, we are still obligated to provide that information in discovery whether we want to or not.
5) If we diligently retain according to the requirement, and diligently remove everything else, we are in compliance while minimizing legal risk.
6) If an individual user can bypass our measures for #5, they could have records that are discoverable.
7) If we know item 6 to be the case, and we don’t account for it in the discovery process, then we are not in compliance with the discovery order
8) if the opposition knows 7 to be the case, and they can prove it, they can get us sanctioned for contempt if we receive said discovery order
9) Such sanctions would entail considerable legal risk. Like civil action bankruptcy-inducing type risk.
10) Therefore Notes sucks.
Okay, the last point is hyperbole, but that’s where Dan’s coming from in the first place.
LikeLike
@Denny Russell – I think the point is its no different than print to PDF, or copy paste to a word document, or another destination … so if the courts don’t care that you “think” you’ve captured everything, then you have to search everything anyway. The functionality exists already in a myriad of other fashions to create “external single instances” of emails that would need to be searched during discovery …
LikeLike
@Nathan. I can’t believe that you just proposed that ‘Prevent Copying’ is a solution. It is EASILY disabled by getting rid of the flag and for end users just open the email and do a print-screen and save it to an image file. Can’t do that then take out your camera phone and take a picture of the screen.
LikeLike
@Declan – “It is EASILY disabled by getting rid of the flag and for end users just open the email and do a print-screen and save it to an image file. Can’t do that then take out your camera phone and take a picture of the screen.”
And how does turning off EML exporting address either of those two attack vectors?
LikeLike
@Declan, we aren’t talking about what’s in the realm of information security. We’re talking about what’s in the realm of legal compliance. A judge is unlikely to hold a party in contempt because they didn’t turn over materials that a person deliberately bypassed security measures on. They might be held in contempt for not bothering to check whether the user executed an ordinary function within the program.
Again, this isn’t an engineering issue. It’s a legal one.
LikeLike
This wins as the dumbest thing to rant about I’ve heard today — and that’s a high bar, I have to say, given that I had to sit through a security review and was told I should have an intrusion detection device in an environment that consists of a single server and a dedicated firewall appliance.
Not everything is a software problem.
LikeLike
I’m not sure that Nathan was saying Prevent Copying was the solution, but that the export to EML ignores it, and thats a problem because the end user would at least expect that to be enforced …
Honestly the whole prevent copying thing is impossible to defend against. Its just a victim of the advanced users where there are a million ways around everything …. if they can break the encryption on DVDs etc … im sure they’ll figure out a way around “prevent copy” … its just an unrealistic expectation, and a throwback to “simpler times” (or users – take yer pick)
LikeLike
I spend a fair amount of time processing investigative requests.
LikeLike
Jeff Eisen, the chief architect for Notes, has posted comments in the Notes.Net IBM DeveloperWorks Lotus discussion forum on this issue.
LikeLike
LikeLike
Prevent copy does not prevent saving emails as eml files! It only prevents exporting emails… it seems they missed this point.
The only solution is to use a third party product. Our “Easy User Policy Manager” product prevents emails to be saved as EML files (it handles both the drag&drop in the view, and the file-save as in the documents). This can be configured for all DBs, for just some DBs, or for just some documents….
LikeLike
@ everyone, Interesting thread, sorry just catching up.
LikeLike
Putting my email archiving vendor hat on…
There are some very important points that I think many people in this thread are missing.
LikeLike
@Richard – “The fact that all of the above is true totally sucks! Preventing users from keeping local data is a double fool’s errand. You can make it pretty doggone inconvenient, but you can’t make it impossible without going to extremes; and it interferes with users’ ability to do their work.
LikeLike