Outlook private items – Not as private as you might think

A common situation in organizations is to make calendars public, so that employees can see other employee’s availability, and collaborate better.  Users may also delegate rights to other users to view their messages, tasks, and contacts.  In these situations, people may rely on marking sensitive items private to hide them from other users.  In Outlook or OWA, other users will see a placeholder for the private items, but won’t be able to view any of the details.  However, you should keep in mind that this privacy is only a feature of the client application–Outlook or OWA–and is not inherent to Exchange.  Exchange itself does not support any kind of item-level security or privacy, and only has a field called “sensitivity” which is used by Outlook and OWA.  The client applications look at that field to determine whether to display the item.

This architecture is common to all versions of Outlook and Exchange, through 2010, and is not really a bug, so much as an architectural decision by Microsoft to keep item-level permissions in the client-tier.  The end result is that people should realize that just because they mark an appointment or other item private in Outlook, it doesn’t mean that no one else will be able to see it.  Items that are extrememly sensitive should probably not be stored in Exchange in the first place, or you should take off all delegate / view rights to your mailbox.  People who you give delegate rights to should also be people who you trust.

Developers should note that when writing custom applications with WebDAV, Exchange Web Services, or any other method, all items will be returned including private items.  The custom application should look at the sensitivity setting of each message before displaying it.  If the sensitivity is private, then the mesage should not be displayed.  We, at Kraft Kennedy, have run into this issue several times when creating custom applications with WebDAV that pull back appointments from the Exchange calendar.

Microsoft has details about allowing other users to manage your mail and calendar here: 

http://office.microsoft.com/en-us/outlook/HA100750811033.aspx?pid=CH100788801033

Note, the last paragraph of the article:

Important   You should not rely on the Private feature to prevent other people from accessing the details of your appointments, contacts, or tasks. To make sure that other people cannot read the items that you marked as private, do not grant them Reviewer (can read items) permission to your Calendar, Contacts, or Tasks folder. A person who is granted Reviewer (can read items) permission to access your folders could use programmatic methods or other e-mail programs to view the details of a private item. Use the Private feature only when you share folders with people whom you trust.