Software

Should BCC be the default email address field?

A constant source of annoyance for many technically-inclined computer users is mass mailings from more nontechnical users that expose every recipient's email address to everyone else. Perhaps a simple UI change is in order.

A constant source of annoyance for many technically inclined computer users is mass mailings from more nontechnical users that expose every recipient's email address to everyone else. Perhaps a simple UI change is in order.


While writing Why your college uses Microsoft Windows for everything, I revisited some old essays written by Dave Gutteridge about why people do not make the switch from MS Windows to open source (and free of licensing cost) operating systems. In one of these (No Really -- Windows Is Free) he comments on the way many end users send emails:

Take, for example, the fact that almost none of my non-computer minded friends ever use, or understand, the "BCC" field that is in every single email client available. They don't even know it's there. I've given up trying to explain it to them, and have come to accept that every now and again, one of my friends will send every email address of everyone they want to contact to everyone else they know.

This brings to mind an article more than two and a half years old: Interface design is security design. Obviously, something has failed in standard mail client UI design if what Dave Gutteridge said accurately describes the reality of email usage amongst nontechnical end users. Given my own experience with parents, other relatives, and a number of acquaintances over the years, no reason to dispute his estimation comes to mind. I have even made the effort to educate some of my relatives and other acquaintances on the proper use of the Blind Carbon Copy field in various email clients, but eventually I receive another email with my address and those of a number of people whose names are totally unfamiliar to me displayed for all to see in the To field.

The use of the BCC field when sending emails is a privacy matter and, because privacy is security, that makes it a security matter. There are those who would claim that security and usability are largely incompatible, that you have to sacrifice usability to get security, but for most purposes that simply is not true. Good usability design takes security into account, and ensures that doing the right thing is the easy thing to do.

RFC 2822, Section 3.6.3 defines the To, CC, and BCC header fields of an email. Nowhere in that, nor in the table in section 3.6, does it suggest that the To header field needs a value. If I have overlooked something in this regard, someone let me know.

Assuming for the moment that filling in the To field is unnecessary for standards compliance, and knowing that people tend to just pile every recipient email address into the default address field, the answer seems obvious: make the BCC field the default address field for outgoing emails in your email client application. While a BCC label is a good idea for purposes of informing more technically inclined users about the specifics of what they are doing, there is nothing to say that another label cannot be applied to make it clearer this field is where the addresses go. In fact, if I were designing a GUI email client application today, I would probably provide only a single outgoing address field by default with a button available to expand the field into more fields for "More Options" in case someone wants more fine-grained control (such as the technically savvy user).

The end result is that, for most users, all recipient email addresses go in the BCC field, all the time. For the inevitable mass mailing of some chain-letter, forwarded-spam-HTML email, people's addresses would then not be exposed to other people on the list that they have never met.

What are the downsides?

Perhaps, I should get into the business of Webmail interface design some day.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

33 comments
Justgeo1
Justgeo1

I use BCC as my primary way of sending messages to a group if it's rare for me to send to them. If I plan on reaching the same people frequently, I'll create a group on Yahoo, Google or some other social network site and post there. I prefer to use email for quick conversations with individuals or small groups in a limited way.

RFink
RFink

No but stupid people shouldn't e-mail. I refuse to give my e-mail address to my church for that reason. Every e-mail my wife get has half of the ward in the TO: field. When ask, I explained. If I give you my e-mail it's for church business but that does not give you the right to publish it.

web mouse
web mouse

A few observations: An organisation's e-mail policy should specify the appropriate use of 'cc' and 'bcc' and the policy needs to be enforced. (For instance - Is e-mail the best communications medium for the information being circulated or are there options to place the information at a single location within the organisation's intranet?) Choosing or setting up internal circulation groups (whose group names then appear instead of converting to individual group member names)may alleviate the issue. Using 'bcc' can raise privacy issues eg if users find out that HR e-mails are being blind-copied, possibly unnecessarily.

bboyd
bboyd

Sure BCC could mitigate this. Email clients need to be redesigned and forward and Reply needs to strip away the junk. Specifically any address in the headers. Good emails should take a couple of K at the most. If an address is needed by the recipients it should be tagged into the body. My opinionated view. Bulk of the business emails I deal with are an endless stream of signatures junk. Front of email body four lines. Response two lines. Signature eight lines, and the sig made in Word is 20 times the size of one properly written. repeat 8 replies. So my habit is to take each meaningful text block and copy them into the next reply separating each with the responders email. Makes a complex reply chain much easier to follow.

dphopkins
dphopkins

NO! Don't penalize everyone because a couple of dinosaurs don't want to learn.

ict
ict

Just put distribution lists automatically in bcc and your problem is solved! As it is a UI design problem, that ordinary users don't know what BCC is, nor how to make it visible in Outlook Express or Windows Mail, it would be easy if the mail program puts a ditstribution list in BCC (and copy yourself in To:), and if you are aware of the bcc-principles you know how to change this in case you really want these people to see eachother. A problem with Bcc is for example that the pop-connector of Exchange isn't able to read it, and that's another Microsoft soft I think...

dogknees
dogknees

I think it's appropriate for you to let me know who else you've sent the information to. The problem, as others have pointed out, is the use of the option.

CharlieSpencer
CharlieSpencer

is that it becomes more difficult to break recipients down into those who need to take action (supposedly those addressed by 'TO') and those who are getting the message for informational purposes (the original purpose of 'CC'). But while we're at it, let's make it much harder to select 'Reply to All' too. The only thing more annoying than having my address paraded before all the other recipients is when they all insist on sending every subsequent response to the original distribution, adding more names as they go. Take any 'Reply to All' icons or shortcuts away from their position adjacent to 'Reply' and bury them down about the eighth menu level.

Sterling chip Camden
Sterling chip Camden

Not all setups automatically hide the Bcc field from recipients. I found out the hard way that the default setup for the combination of mutt and ssmtp leaves them in -- I had to change write_bcc=no in .muttrc. Unfortunately, that can't be the default because other setups need to have the bcc field later in the food chain. wizard57m's comment makes me realize that I should look into modifying mutt's default behavior on forward.

wizard57m-cnet
wizard57m-cnet

I still receive emails from old friends that are forwards of forwards of forwards innumerable times. I've tried to tell people not to just click a "forward" button, that if they feel the message rates being sent onwards, copy and paste the actual text of the message into a new mail, and use BCC. Alas, nigh on 20 years, and still some of them will send me messages with sometimes hundreds of email adddresses. Also, lately it seems many of these forwards will contain some privacy notice tacked on a few times for good measure...yeah, ok.

apotheon
apotheon

Why would a sig block be eight lines long? It shouldn't be more than four lines or more than 80 characters wide -- for a maximum potential length of 320 characters.

apotheon
apotheon

How does getting the computer illiterate to use the correct address field for mass mailings "penalize everyone"?

Ron_007
Ron_007

because a majority of computer/email users aren't dinosaurs, they are "technologically illiterate". They want to treat their computer like a toaster, flip a switch and forget it. When it comes to learning "new" features (ignoring the fact that CC/BCC is a carry over from the manual world, a concept that is at least! 100 years old) they emulate "the 3 monkeys": - They won't use a feature unless it is in their face (see no evil) - They won't listen to anyone trying to teach them (hear no evil) - They wouldn't pass the tip on to save their life (speak no evil). It would be great if all email providers would include a configuration option to select between TO and BCC as default address field. Hear the Google, Thunderbird, Hotmail, Outlook, Yahoo etc etc etc ...

apotheon
apotheon

What about the fact that those other people didn't agree to have their information sent to you?

Kevin W
Kevin W

I have seen this more than once in the past: If neither the To field or CC fields contains a valid email address on that given system, the email is rejected.

auroraflame
auroraflame

then how about adding an option/button for no header in email client?

apotheon
apotheon

Unfortunately, there are some mailing lists that are so poorly configured that this is the "easy" way to get the list address into an email address field without breaking discussion threading.

wizard57m-cnet
wizard57m-cnet

Should be reserved ONLY for use by super snarky responders who desire to point out a deficiency in the original sender, and the button should only be activated by series of repeated "right click menues"! No need to add the "Are you sure?" dialogue, those of us who accessed the button are already sure, and if someone did it by accident they more likely than not would click "Yes, I'm sure" anyway!

Jaqui
Jaqui

default behavior for forward is: you are an idiot, forwarding email is not permitted that ought to stop the stupidity. :D edit to add: and then fill their inbox with 5 times as many emails at they have people in their address book, each one saying forwarded SPAM rejected in the subject.

wizard57m-cnet
wizard57m-cnet

Yes, it would be nice if email clients by default would NOT include "headers" in forwards. Many of them now don't, but quite a number do...AOL comes to mind! The worst part is that EVERYONE that forwards not only the original message and headers, etc., but their addressbook contacts get added, and the next, and the next, and so on ad infinitum. Then there must be some email software in use that will decide to DOUBLE the actual message! I've seen those several times...usually when someone decides that the original text font wasn't pretty enough or fancy enough or the wrong color! Sheesh...now I've got 2 or 3 renditions of the forwarded email, in different colors, different font, and each having its own list of email addresses just ripe for spam-harvesters!

CharlieSpencer
CharlieSpencer

While I too have received many of these, I don't think one of them has ever been worth reading. As soon as I see multiple indents, I'm moving toward the Delete icon.

bboyd
bboyd

That would be sane. I use a four line sig. I've seen plenty of signatures, 8+ lines and picture 1.) Name 2.) Title 3.) st. Address 4.) PO or box or company name 5.) City address 6.) Phone and Fax 7.) Email Address 8.) Disclaimer (This e-mail is to be used for business purposes only, do not send any e-mails to this address unless they have a specific business purpose. Thank you!) Oh and spacing lines, witty comments, thank yous and other diarrhea of the keyboard

dogknees
dogknees

I can't control what I'm sent. If someone sends me information, I assume(reasonably or otherwise), that those concerned have made the included information available to that person and that as part of doing so, they have placed their trust in that person not to make it available to those that the originator didn't want included. It's no different to the rest of life. Telling someone something always carries the risk that they will pass it on or make use of it in some way. We make our judgement about their reliability and act accordingly. Why should email be any different? I would not, and do not, automatically reply to all. I suppose I'm focussing on work email as I use it very little outside the Office. As all staff's email addresses are available anyway, I'm not passing on anything private. If I consider it appropriate in a given situation, or I'm at all concerned about a given item, I would check with the originator(s), and will often cc them in so they are aware of the distribution of the information. Generally, I consider it is appropriate to notify people to whom you send information that others are also being made aware of it. Office Politics aside, of course! Regards

apotheon
apotheon

This is indeed a weakness of the "always default to BCC" approach. Something that occurred to me as a possible "fix" for it is to automatically place one's own address in the To: field. This could cause problems, however, because some people would be annoyed by always getting copies of their own emails, and the obvious solution to that (deleting all emails that have one's own address in the From: field) seems kind of ham-handed and potentially prone to difficulties with "false positives". Of course, if someone really does want to receive copies of one's own emails, one's own email address is almost certain to be placed in the BCC field along with the rest of the recipients, given a "default to BCC" approach to interface design. I guess, in practice, we would need to actually just test such a solution with real users to see where the pitfalls -- if any -- actually lie.

Kevin W
Kevin W

Many users who want to send legitimate messages to groups would use BCC (at least on the first attempt of a given message), and some important discussions would get gummed up. Granted, this is a training issue, but then so is the proper use of BCC. In at least one place where I worked, the clear priority would be having Reply to All function as expected. Eidt - this was intended as a separate comment, not a reply. Guess I don't speak up in these forums enough...

wizard57m-cnet
wizard57m-cnet

There are some good hosts for mailing lists, one I use is Freelists.org. I see no reason to stay with an email group host that doesn't have basic controls available, unless it's just a small group, or a very old long-standing group.

V.H. Scarpacci
V.H. Scarpacci

Sometime when I receive an abundance of e-mail that is sent to dozens of 'friends' I wish the internet tax e-mails were true. If people had to pay for each e-mail there would be a lot less 'this was so cute' or other unimportant subject in my inbox. If the charge was high enough it would be like my PO Box. That is only filled with junk mail and bills

Neon Samurai
Neon Samurai

It makes building a contact database much easier than having to track down that information elsewhere. ;)

LCH-IT
LCH-IT

This is exactly what I do when I have a forward with a number of recipients in BCC, I use my email in "To". I created a Recipient account in Address Book called "Friends, etc" and gave it my email address. I use this in "To" and put my real recipients in BCC. This eliminates the missing valid "To" problem with some email services. I have a rule set up in Outlook that automatically completely deletes email 'from me to me' so I never have to deal with it. This has the added benefit of automatically deleting all the spam that is addressed 'to me from me', a favorite spammers tactic to bypass filters. The only thing I need to remember is not to forward email to myself, a small issue compared to the convenience factor.

apotheon
apotheon

Reply to All is not the same as entering a crap-ton of email addresses in a forwarded or new email. In the former case, you're trying to respond to everybody who was a sender or recipient of an incoming email with a single click; in the latter, you're intentionally selecting who receives the email.

apotheon
apotheon

I'm not talking about mailing lists under my control. I set up much saner defaults for lists I manage. I'm talking about the necessity of dealing with lists run by other people.