Information Security Expert Kevin Beaver

The Epstein Files and the email footer that changed nothing

“Here is a rich man who is the victim of a painful and persistent disease as the result of gluttony. He is willing to give large sums of money to get rid of it, but he will not sacrifice his gluttonous desires. He wants to gratify his taste for rich and unnatural viands and have his health as well. Such a man is totally unfit to have health, because he has not yet learned the first principles of a healthy life.” — James Allen, As a Man Thinketh

An email footer is not a privacy or security control. But you wouldn’t know that from the way many people treat them.

The word CONFIDENTIAL appears at the bottom of emails across virtually every industry. Bolded. Legal-sounding. Sometimes threatening. It gives the impression that sensitive information is being handled with discipline and care. Management feels covered. Legal feels protected. The checkbox is checked!

What I see in practice is labeling of “sensitive information” without actual enforcement. Emails are stamped “CONFIDENTIAL” and then forwarded casually, downloaded onto unmanaged devices, and stored indefinitely in inboxes and cloud repositories with little oversight. There are often no meaningful classification standards behind the label, no technical controls restricting access, no retention, and no auditing to verify how the information is actually handled. The email footer exists to create the appearance of privacy and security rather than the reality of it. It also serves a quieter purpose…giving people plausible deniability while the proper governance work is left undone.

That disconnect became especially telling when emails surfaced in the broader Epstein document disclosures recently, including correspondence attributed to Peter Attia, M.D., complete with a formal confidentiality footer likely added in the name of “HIPAA compliance”, warning that the information was privileged, protected by federal and state privacy laws, and not to be disseminated. The irony! 🙂

As you can see in his email footer, the language is strong, the tone authoritative – all very professional sounding. The message is clear that this information was not meant for public consumption. And yet there it is, publicly available for anyone to read.

Hey, Dr. Attia: I’m notifying you of your email…

Being in the keto and health hacking worlds, I used to respect Dr. Attia but something about him never sat quite right with me.  I remember him making contradicting statements and just saying things about health and longevity that didn’t add up. I think that was my gut feeling expressing itself. 🙂

None of that changes how email technology actually works. A confidentiality disclaimer doesn’t override how messaging systems, backups, screenshots, or breaches operate. It does not prevent forwarding or subpoenas…or even a leak. It does not prevent the recipient from mishandling the content the moment it hits their inbox. And it does nothing to address the risk on the sender’s side. If the sending system lacks proper security controls, full-disk encryption on the device, enforced access policies, secured endpoints, the email is exposed before it ever reaches the recipient. Legal language at the bottom of a message is not a substitute for any of that.

This is where James Allen’s quote above comes into play. The assumption that wealth, status, or professional prominence changes how technology works is its own form of the indulgence. This  is nothing new. I remember writing about a situation involving Mark Zuckerberg after his Twitter and Pinterest accounts were compromised because he was reusing a weak password across multiple platforms. Even the most tech-savvy people make elementary security mistakes while projecting control. I certainly have. The Epstein disclosures are just the most recent example of an older problem.

What makes it all so ironic is that executives and high-profile individuals are routinely the people most exempt from the security policies that govern everyone around them. Yet they are also the highest value targets. The more prominent and powerful someone is, the more attractive their data becomes, yet the reliance on legacy email habits, unmanaged devices, and sloppy governance continues. I still see this in my work and it just doesn’t add up but it is what it is.

Something else I often see that’s related to this messaging confidentiality conundrum…sending a “secure” via email to download a document while requiring no real credential verification beyond clicking the link. Even email and file sharing platforms that require authentication are not as secure as people assume unless multi-factor authentication is actually enforced. A password alone may not be sufficient, and without MFA, a “secure” system is often only marginally more protected than one without any access controls at all. If you are concerned about email exposure, enforce authentication and access controls that reflect those risks. Otherwise you have added mere impediments (busy work) without adding any meaningful protection.

They funny thing is, modern email infrastructure from major providers is secure in transit. TLS encryption is widely enforced. So the problem isn’t data in transit…it’s the before and after. Once an email is sent and then lands in an inbox, synchronizes to multiple devices, gets backed up, exported, or screenshotted, control becomes impossible to trace. If those devices are not using full-disk encryption (which is still very common based on what I see in my work), one of the most effective baseline controls available is simply not in place. You know how I feel about those basics…

Information classification and governance are not new. They have been around information security for several decades. If you intend to protect confidential information, you need to think things through rather than just slapping a label on something and hoping for the best. I have worked enough breach projects and legal cases as an expert witness to know that investigators and opposing counsel are not interested in what your email footer said. They want to know what you actually did.

If confidentiality and privacy are genuine priorities, build the habits and systems that reflect your principles. If they aren’t, don’t pretend that a paragraph at the bottom of an email makes it so.