Common Knowledge in Email Exchanges

We consider a framework in which a group of agents communicates by means of emails, with the possibility of replies, forwards and blind carbon copies (BCC). We study the epistemic consequences of such email exchanges by introducing an appropriate epistemic language and semantics. This allows us to find out what agents learn from the emails they receive and to determine when a group of agents acquires common knowledge of the fact that an email was sent. We also show that in our framework from the epistemic point of view the BCC feature of emails cannot be simulated using messages without BCC recipients.


Motivation
Email is by now a prevalent form of communication. Its advantages speak for themselves. However, we rarely pause to reflect on its undesired consequences. Just to mention a few.
One occasionally reads about scandals caused by email leaks, see, e.g., [3]. On a smaller scale, users of the blind carbon copy feature (BCC) are sometimes confronted with an undesired situation in which a BCC recipient of an email reveals his status to others by using the reply-all feature. Further, many email systems allow one to edit a forwarded email, in particular allowing one to modify the content or the identity of the sender and of the recipients list.
Recently, a main Dutch daily, NRC Handelsblad, reported, see [10], that Wouter Bos, the Deputy Prime minister in the previous Dutch government, revealed the extensive network of his contacts by sending out his new email address to about four hundred of influential recipients whose email addresses were erronously put in the CC list instead of the BCC list. The list was leaked to the newspaper.
Epistemic consequences of email exchanges are occasionally raised by researchers in various contexts. For instance, the author of [2] mentions 'some issues of email ethics' by discussing a case of an email discussion in which some researchers were not included (and hence could not build upon the reported results).
Then consider the following recent quotation from a blog in which the writers call for a boycott of a journal XYZ: "We are doing our best to make the misconduct of the Editors-in-Chief a matter of common knowledge within the [...] community in the hope that everyone will consider whatever actions may be appropriate for them to adopt in any future associations with XYZ".
So when studying email exchanges a natural question arises: what are their knowledge-theoretic consequences? To put it more informally: after an email exchange took place, who knows what? Motivated by the above blog entry we can also ask: can sending emails to more and more new recipients ever create common knowledge? (Our Main Theorem shows that the answer is "No.") To be more specific consider the following example to which we shall return later. Example 1. Assume the following email exchange involving four people, Alice, Bob, Clare and Daniel: • Alice and Daniel got an email from Clare, • Alice forwarded it to Bob, • Bob forwarded Alice's email to Clare and Daniel with a BCC to Alice, • Alice forwarded the last email to Clare and Daniel with a BCC to Bob.

The question is:
Do all four people involved in this exchange have common knowledge of Bob's email?
To answer such questions we study email exchanges focusing on relevant features that we encounter in most email systems.
More specifically, we study the following form of email communication: • each email has a sender, a non-empty set of regular recipients and a (possibly empty) set of blind carbon copy (BCC) recipients. Each recipient receives a copy of the message and is only aware of the regular recipients and not of the BCC recipients (except himself), • in the case of a reply to or a forward of a message, the unaltered original message is included, • in a reply or a forward, one can append new information to the original message one replies to or forwards.
As a result, the email exchanges, as studied here, are essentially different from other forms of communication, in particular from multicasting, i.e., sending a message to a group of recipients. Also, the resulting model of email communication differs from the ones that were studied in other papers in which only limited aspects of emails have been considered. These papers are discussed below.

Contributions and plan of the paper
To study the relevant features of email communication we introduce in the next section a carefully chosen language describing emails. We make a distinction between a message, which is sent to a public recipient list, and an email, which consists of a message and a set of BCC recipients. This distinction is relevant because a forward email contains an earlier message, without the list of BCC recipients. We also introduce the notion of a legal state that captures the fact that there is a causal ordering on the emails. For example, an email needs to precede any forward of it.
To reason about the knowledge of the agents after an email exchange has taken place we introduce in Section 3 an appropriate epistemic language. Its semantics takes into account the uncertainty of the recipients of an email about its set of BCC recipients and the ignorance about the existence of emails that one neither sent nor received. This semantics allows us to evaluate epistemic formulas in legal states, in particular the formulas that characterize the full knowledge-theoretic effect of an email.
In Section 4 we present the main result of the paper, that clarifies when a group of agents can acquire common knowledge of the formula expressing the fact that an email has been sent. This characterization in particular sheds light on the epistemic consequences of BCC. The proof is given in Section 5.
Then in Section 6 we show that in our framework BCC cannot be simulated using messages without BCC recipients. Finally, in Section 7 we provide a characterization of legal states in terms of properly terminating email exchanges. This allows us clarify the notion of a causal relationship between emails.

Related work
The study of the epistemic effects of communication in distributed systems originated in the eighties and led to the seminal book [7]. The relevant literature, including [6], deals only with the customary form of communication, notably asynchronous send.
One of the main issues studied in these frameworks has been the analysis of the conditions that are necessary for acquiring common knowledge. In particular, [8] showed that common knowledge cannot be attained in the systems in which the communication is not guaranteed. More recently this problem was investigated in [4] for synchronous systems with known bounds on message transmission in which processes share a global clock. The authors proved that in such systems a so-called pivotal event is needed in order to obtain common knowledge. This in particular generalizes the previous result of [8] concerning acquisition of common knowledge in distributed systems with synchronous communication.
The epistemic effects of other forms of communication were studied in numerous papers. In particular, in [12] the communicative acts are assumed to consist of an agent j 'reading' an arbitrary propositional formula from another agent i. The idea of an epistemic contents of an email is implicitly present in [13], where a formal model is proposed that formalizes how communication changes the knowledge of a recipient of the message.
In [5] a dynamic epistemic logic modelling effects of communication and change is introduced and extensively studied. Further, in [17] an epistemic logic was proposed to reason about information flow w.r.t. underlying communication channels. [11] surveys these and related approaches and discusses the used epistemic, dynamic epistemic and doxastic logics.
Most related to the work here reported are the following two references. [1] studied knowledge and common knowledge in a set up in which the agents send and forward propositional formulas in a social network. However, the forward did not include the original message and the BCC feature was absent. More recently, in [15] explicit messages are introduced in a dynamic epistemic logic to analyze a similar setting, though BCC was simulated as discussed in Section 6. In both papers it is assumed that the number of messages is finite. In contrast, in the setting of this paper the forward includes the original message, which results directly in an infinite number of messages and emails.
Finally, the concept of a causal relation between messages in distributed systems is due to [9]. Lamport's analysis of causality was extended in the already cited paper [4] to synchronous systems with known bounds on message transmission.

Messages
In this section we define the notion of a message. We assume non-empty and finite sets of agents Ag = {1, . . ., n} and of notes L. Each agent has a set of notes he holds initially.
We make a number of assumptions. Firstly, we assume that the agents do not know which notes belong to the other agents. Furthermore, we assume that the agents only exchange emails about the notes. In particular, they cannot communicate epistemic formulas. We also assume that an agent can send a message to other agents containing a note only if he holds it initially or has learnt it through an email he received earlier.
We inductively define messages as follows, where in each case we assume that G = ∅: • m := s(i, l, G); the message containing note l, sent by agent i to the group G, • m := f (i, l.m ′ , G); the forwarding by agent i of the message m ′ with added note l, sent to the group G.
So the agents can send a message with a note or forward a message with a new note appended, where the latter covers the possibility of a reply or a reply-all. To allow for the possibility of sending a forward without appending a new note, we can assume there exists a note true that is held by all agents and identify true.m with m.
If m is a message, then we denote by S(m) and R(m), respectively, the singleton set consisting of the agent sending m and the group of agents receiving m. So for the above messages m we have S(m) = {i} and R(m) = G. We do allow that S(m) ⊆ R(m), i.e., that one sends a message to oneself.
Special forms of the forward messages can be used to model reply messages. Given f (i, l.m, G), using G = S(m) we obtain the customary reply message and using G = S(m)∪R(m) we obtain the customary reply-all message. (In the customary email systems there is syntactic difference between a forward and a reply to these two groups of agents, but the effect of both messages is exactly the same, so we ignore this difference.) In the examples we write s(i, l, j) instead of s(i, l, {j}), etc.

Emails
An interesting feature of most email systems is that of the blind carbon copy (BCC). We study here the epistemic effects of sending an email with BCC recipients and will now include this feature in our presentation.
In the previous subsection we defined messages that have a sender and a group of recipients. Now we define the notion of an email which allows the additional possibility of sending a BCC of a message. The BCC recipients are not listed in the list of recipients, therefore we have not included them in the definition of a message. Formally, by an email we mean a construct of the form m B , where m is a message and B ⊆ Ag is a possibly empty set of BCC recipients. Given a message m we call each email m B a full version of m.
Since the set of BCC recipients is 'secret', it does not appear in a forward. That is, the forward of an email m B with added note l is the message f (i, l.m, G) or an email f (i, l.m, G) C , in which B is not mentioned. This is consistent with the way BCC is handled in the email systems. However, this forward may be sent not only by a sender or a regular recipient of m B , but also by a BCC recipient. Clearly, the fact that an agent was a BCC recipient of an email is revealed at the moment he forwards the message.
A natural question arises: what if someone is both a regular recipient and a BCC recipient of an email? In this case, no one (not even this BCC recipient himself) would ever notice that this recipient was also a BCC recipient since everyone can explain his knowledge of the message by the fact that he was a regular recipient. Only the sender of the message would know that this agent was also a BCC recipient. This fact does not change anything and hence we assume that for any email m B we have (S(m)∪R(m))∩B = ∅.
Using the just introduced language we can formalize the story from Example 1 as follows, where we abbreviate Alice to a, etc.: • Alice and Daniel got an email from Clare: • Alice forwarded it to Bob: • Bob forwarded Alice's email to Clare and Daniel with a BCC to Alice: • Alice forwarded the last email to Clare and Daniel with a BCC to Bob.

Legal states
Our goal is to analyze knowledge of agents after some email exchange took place. To this end we need to define a possible collection of sent emails. First of all, we shall assume that every message is used only once. In other words, for each message m there is at most one full version of m, i.e., an email of the form m B . The rationale behind this decision is that a sender of m B and m B ′ might equally well send a single email m B∪B ′ . This assumption can be summarized as a statement that the agents do not have 'second thoughts' about the recipients of their emails. It also simplifies subsequent considerations.
In this work we have decided not to impose a total ordering on the emails in our model, for example by giving each email a time stamp. This makes the model a lot simpler. Also, many interesting questions can be answered without imposing such a total ordering. For example, we can investigate the existence of common knowledge in a group of agents after an email exchange perfectly well without knowing the exact order of the emails that were sent.
However, we have to impose some ordering on the sets of emails. For example, we need to make sure that the agents only send information they actually know. Moreover, a forward can only be sent after the original email was sent. We will introduce the minimal partial ordering that takes care of such issues.
First, we define by structural induction the factual information F I(m) contained in a message m as follows: Informally, the factual information is the set of notes which occur somewhere in the message, including those occurring in forwarded messages.
We will use the concept of a state to model the effect of an email exchange. A state s = (E, L) is a tuple consisting of a finite set E of emails that were sent and a sequence L = (L 1 , . . . , L n ) of sets of notes for all agents. The idea of these sets is that each agent i initially holds the notes in L i . We use E s and L s to denote the corresponding elements of a state s, and L 1 , . . ., L n to denote the elements of L.
We say that a state s = (E, L) is legal w.r.t. a strict partial ordering (in short, an spo) ≺ on E if it satisfies the following conditions: Condition L.1 states that the agents can only forward messages they previously received. Conditions L.2 and L.3 state that if an agent sends a note that he did not initially hold, then he must have learnt it by means of an earlier email.
We say that a state s is legal iff it is legal w.r.t. some spo. Given a legal state s, by its causality ordering we mean the smallest (so the least constraining) spo w.r.t. which s is legal.
So a state is legal if every forward was preceded by its original message, and for every note sent in an email there is an explanation how the sender of the email learnt this note.

Epistemic language and its semantics
We want to reason about the knowledge of the agents after an email exchange has taken place. For this purpose we use a language L of communication and knowledge defined as follows: Here m denotes a message. The formula m expresses the fact that m has been sent in the past, with some unknown group of BCC recipients. The formula i ◭ m expresses the fact that agent i was involved in a full version of the message m, i.e., he was either the sender, a recipient or a BCC recipient.
The formula C G ϕ denotes common knowledge of the formula ϕ in the group G.
We use the usual abbreviations ∨, → and ↔ and use K i ϕ as an abbreviation of C {i} ϕ. The fact that an email with a certain set of BCC recipients was sent can be expressed in our language by the following abbreviation: Note that this formula expresses the fact that the message m was sent with exactly the group B as BCC recipients, which captures precisely the intended meaning of m B .
We now provide a semantics for this language interpreted on legal states, inspired by the epistemic logic and the history-based approaches of [12] and [13]. For every agent i we define an indistinguishability relation ∼ i , where we intend s ∼ i s ′ to mean that agent i cannot distinguish between the states s and s ′ . We first define this relation on the level of emails as follows (recall that we assume that senders and regular recipients are not BCC recipients): iff one of the following contingencies holds: Condition (i) states that the sender of an email confuses it only with the email itself. In turn, condition (ii) states that each regular recipient of an email who is not a sender confuses it with any email with the same message but possibly sent to a different BCC group. Next, condition (iii) states that each BCC recipient of an email confuses it with any email with the same message but sent to a possibly different BCC group of which he is also a member. Finally, condition (iv) states that each agent confuses any two emails in which he is not involved.
Example 2. Consider the emails e := s(i, l, j) ∅ and e ′ := s(i, l, j) {k} . We have then e ∼ i e ′ , e ∼ j e ′ and e ∼ k e ′ . Intuitively, agent j cannot distinguish between these two emails because he cannot see whether k is a BCC recipient. In contrast, agents i and k can distinguish between these two emails.
Next, we extend the indistinguishability relation to legal states by defin- iff all of the the following hold: So two states cannot be distinguished by an agent if they agree on his notes and their email sets look the same to him. Since we assume that the agents do not know anything about the other notes, we do not refer to the sets of notes of the other agents. Note that ∼ i is an equivalence relation.
Example 3. Consider the legal states s 1 and s 2 which are identical apart from their sets of emails: We assume here that l ∈ L i . The corresponding causality orderings clarify that in the first state agent i sends a message with proposition p to agent j and then j forwards this message to agent o. Further, in the second state agent i sends the same message but with a BCC to agent k, and then both agent j and agent k forward the message to agent o.
From the above definition it follows that s 1 ∼ i s 2 , s 1 ∼ j s 2 , s 1 ∼ k s 2 and s 1 ∼ o s 2 . For example, the first claim holds because, as noticed above, s(i, l, j) ∅ ∼ i s(i, l, j) {k} . Intuitively, in state s 1 agent i is aware that he sent a BCC to nobody, while in state s 2 he is aware that he sent a BCC to agent k. In turn, in both states s 1 and s 2 agent j is aware that he received the message s(i, l, j) and that he forwarded the email f (j, s(i, l, j), o) ∅ . Intuitively, in state s 2 agent j does not notice the BCC of the message s(i, l, j) and is not aware of the email f (k, s(i, l, j), o) ∅ .
In order to express common knowledge, we define for a group of agents G the relation ∼ G as the reflexive, transitive closure of i∈G ∼ i . Then we define the truth of a formula from our language in a state inductively as follows, where s = (E, L): We say that ϕ is valid (and often just write 'ϕ' instead of 'ϕ is valid') if for all legal states s, s |= ϕ.
Even though this definition does not specify the form of communication, one can deduce from it that the communication is synchronous, that is, that each email is simultaneously received by all the recipients. Namely, the condition of the form m B ∈ E present in the second clause implies that for every email m B the following equivalence is valid for all This means that in every legal state (E, L) either all recipients of the email m B received it (when m B ∈ E) or none (when m B ∈ E). However, it should be noted that the agents do not have a common 'clock' using which they could deduce how many messages have been sent. Also, there is no common 'blackboard' using which they could deduce how many messages have been sent by other agents between two consecutive messages they have received.
The following lemma clarifies when specific formulas are valid. In the sequel we shall use these observations implicitly.
The second item states that m → i ◭ m ′ is valid either if i is a sender or a receiver of m ′ (in that case actually i ◭ m ′ is valid) or i forwarded the message m ′ . The latter is also possible if i was a BCC receiver of m ′ . The claimed equivalence holds thanks to condition L.1.

Example 4.
To illustrate the definition of truth let us return to Example 3. In state s 2 agent j does not know that agent k received the message s(i, l, j) since he cannot distinguish s 2 from the state s 1 in which agent k did not receive this message. So s 2 |= ¬K j k ◭ s(i, l, j) holds.
On the other hand, in every legal state s 3 such that s 2 ∼ o s 3 both an email f (k, s(i, l, j), o) C and a 'justifying' email s(i, l, j) B have to exist such that s(i, p, j) B ≺ f (k, s(i, l, j), o) C and k ∈ B. Consequently s 3 |= k ◭ s(i, l, j), so s 2 |= K o k ◭ s(i, l, j) holds, so by sending the forward agent k revealed himself to o as a BCC recipient.
We leave to the reader checking that both s 2 |= C {k,o} k ◭ s(i, l, j) and s 2 |= ¬C {j,o} k ◭ s(i, l, j) holds. In words, agents k and o have common knowledge that agent k was involved in a full version of the message s(i, l, j), while the agents j and o don't.

Common knowledge
We now clarify when a group of agents acquires common knowledge of the formula expressing that an email was sent. This shows how we can use our framework to investigate epistemic consequences of email exchanges.
Given a set of emails E and a group of agents A, let When e ∈ E A we shall say that the email e is shared by the group A. Note that when |A| ≥ 3, then e ∈ E A iff A ⊆ S(m) ∪ R(m). When |A| = 2, then e ∈ E A also when ∃j ∈ B : A = S(m) ∪ {j}, and when |A| = 1, then e ∈ E A also when A = S(m) or ∃j ∈ B : A = {j}.
The following theorem summarizes our results.
Main Theorem Consider a legal state s = (E, L) and a group of agents A.
(ii) Suppose that |A| ≥ 3. Then s |= C A m B iff the following hold: • the email m B involves all agents, • for every agent i that is on the BCC list of m B there is an email shared by the group A that proves that i forwarded message m, • there is an email shared by the group A that proves the existence of the message m.
The first of the above three items is striking and shows that common knowledge of an email is rare.
As an aside let us mention that there is a corresponding result for the case when |A| < 3, as well. However, it involves a tedious case analysis concerning the possible relations between A, S(m), R(m) and B, so we do not present it here.
We can use the above result to answer the question posed in Example 1. Let s be the state whose emails consist of the considered four emails, so

Proof of the Main Theorem
We establish first a number of auxiliary lemmas. We shall use a new strict partial ordering on emails. We define Note that m ′ → m precisely if m ′ is a forward, or a forward of a forward, etc, of m. Then for two emails m B and m B ′ from a legal state s with the causality ordering ≺, m B < m B ′ implies m B ≺ m B ′ on the account of condition L.1. However, the converse does not need to hold since m B ≺ m B ′ can hold on the account of L.2 or L.3. Further, note that the <-maximal elements of E are precisely the emails in E that are not forwarded.
Given a set of emails E and E ′ ⊆ E we then define the downward closure of E ′ by The set of emails E on which the downward closure of E ′ depends will always be clear from the context. Next, we introduce two operations on states. Assume a state (E, L) and an email m B ∈ E.
We define the state Intuitively, s \ m B is the result of removing the email m B from the state s, followed by augmenting the sets of notes of its recipients in such a way that they initially already had the notes they would have acquired from m B . Note that s \ m B is a legal state if m B is an <-maximal element of E.
Next, given C ⊆ B we define the state is the result of shrinking the set of BCC recipients of m from B to C, followed by an appropriate augmenting of the sets of notes of the agents that no longer receive m.
Note that s[m B →C ] is a legal state if there is no forward of m by an agent i ∈ B \ C, i.e., no email of the form f (i, l.m, G) D exists in E such that i ∈ B \ C.
We shall need the following lemma that clarifies the importance of the set E A of emails. Proof. We prove that for all <-maximal emails Iterating this process we get the desired conclusion. Suppose Suppose now j ∈ B. Define Then s 1 is a legal state and s ∼ j s 1 . Next, define Note that both s 1 and s 2 are legal states since m B is <-maximal.
Using the above lemma we now establish two auxiliary results concerning common knowledge of the formula i ◭ m or of its negation.
To illustrate various alternatives listed in (i) note that each of the following emails in E ensures that s |= C {j} i ◭ m, where in each case m is the corresponding send message: The first four of these emails imply s |= C {j} i ◭ m by the first clause of (i), the last one by the second clause.
Hence for some group B we have m B ∈ (E A ) ≤ and i ∈ S(m) ∪ R(m) ∪ B. Three cases arise.
Consequently m ′ → m and hence m ′ → i ◭ m. So the claim holds as well.
Then by the definition of E A , m B ∈ E A so the claim holds. If for some note l and groups G and C we have In the former case we use the fact that the implication f (i, l.m, G) → i ◭ m is valid. In the latter case m ′ → f (i, l.m, G) and hence m ′ → i ◭ m. So in both cases the claim holds.
Otherwise let s ′′ = s ′ [m B →B\{i} ]. Note that s ′′ is a legal state because i does not forward m in s ′ . Take some j ∈ A \ (S(m) ∪ {i}). Then s ′ ∼ j s ′′ , so s ∼ A s ′′ . Moreover, s ′′ |= ¬i ◭ m, which yields a contradiction. So this case cannot arise.
( ⇐ ) The claim follows directly by the definition of semantics. We provide a proof for one representative case. Suppose that for some email m ′ B ∈ E A both A ⊆ S(m ′ ) ∪ R(m ′ ) and m ′ → i ◭ m. Take some legal state s ′ such that s ∼ A s ′ . Then for some group B ′ we have m ′ B ′ ∈ E s ′ . So s ′ |= m ′ and hence s ′ |= i ◭ m. Consequently s |= C A i ◭ m. We first consider the case that A ⊆ S(m) ∪ {i}. Let s ′ be any legal state such that s ∼ A s ′ . Assume s ′ |= i ◭ m. Then m B ∈ E s ′ for some group B such that i ∈ B. Since A ⊆ S(m) ∪ {i}, any legal state s ′′ such that s ′ ∼ A s ′′ contains an email m C ∈ E s ′′ for some group C such that i ∈ C. So s ′′ |= i ◭ m. In particular, this holds for the state s, which contradicts our assumption. So s ′ |= ¬s(i, n, G) and hence s |= C A ¬s(i, n, G).
Now we consider the case that s |= C A ¬m. Let s ′ be such that s ∼ A s ′ . Then s ′ |= ¬m. Since i ◭ m → m is valid, we get s ′ |= ¬i ◭ m. So We are now ready to prove the Main Theorem. Proof (i) ( ⇒ ) Suppose s |= C A m. Take the legal state s ′ constructed in Lemma 2. Then s ∼ A s ′ , so s ′ |= m. So for some group B we have Hence either m B ∈ E A or some email m ′ B ′ ∈ E A exists such that m B < m ′ B ′ . In both cases the claim holds. ( ⇐ ) Suppose that for some email m ′ B ∈ E A we have m ′ → m. Take some legal state s ′ such that s ∼ A s ′ . Then by the form of E A and the definition of semantics for some group B ′ we have m ′ B ′ ∈ E s ′ . So s ′ |= m ′ and hence s ′ |= m. Consequently s |= C A m.
(ii) By the definition of m B , the fact that the C A operator distributes over the conjunction, part (i) of the Main Theorem and Lemma 3 we have ( ⇒ ) Suppose s |= C A m B . Then properties C3-C6 hold. But |A| ≥ 3 and s |= C A m imply that no conjunct of C5 holds. Hence property C1 holds.
Further, since |A| ≥ 3 the first disjunct of each conjunct in C4 does not hold. So the second disjunct of each conjunct in C4 holds, which implies property C2.
For i ∈ S(m) ∪ R(m) we have m → i ◭ m. So C2 implies property C4. Further, since C1 holds, properties C5 and C6 hold vacuously.

Analysis of BCC
In our framework we built emails out of messages using the BCC feature. So it is natural to analyze whether and in what sense the emails can be reduced to messages without BCC recipients.
Analogous simulation can be formed for the forward email f (i, l.m, G) B . At first sight, it seems that this simulation has exactly the same epistemic effect as the original email with the BCC recipients. In both states, agents j 1 , . . ., j k receive a copy of the message and only each of them separately and the sender of the message are aware of this. However, there are two subtle differences.
First of all, there is a syntactic difference between message that agents j 1 , . . ., j k receive in the original case and in the simulation. In the original case they receive exactly the message m, and in the simulation they receive a forward of it. This also means that if they reply to or forward the message, there is a syntactic difference in this reply or forward. This difference is purely syntactic and does not essentially influence the knowledge of the agents, even though it clearly influences the truth value of the formula j ◭ m which is true for j ∈ {j 1 , . . ., j k } in the original case but not in the simulation.
The second difference is more fundamental. If agents j 1 , . . ., j k are BCC recipients of m and they do not send a reply to or a forward of m, then each of them can be sure that no other agent but the sender of m knows he was a BCC recipient. Indeed, in our framework there is no message the sender of m could send to another agent, that expresses that agents j 1 , . . ., j k were the BCC recipients of m.
In the case of the simulation however, these recipients do not receive a BCC but a forward. Since these forwards may have additional BCC recipients of which agents j 1 , . . ., j k are unaware, they cannot be sure that the other agents do not know that they received a forward of the message. Furthermore, the sender of m could also forward the forward he sent to j 1 , . . ., j k without informing them about it, thus also revealing their knowledge of m.
A concrete example that shows this difference is the following.
Then s |= K 3 ¬K 2 K 3 s(1, l, 2), that is, agent 3 is sure that agent 2 does not know about his knowledge of the message s(1, l, 2). A simulation of this email without a BCC recipient would result in the state t with (we abbreviate here each email m ∅ to m) Now consider a state t ′ with: s(1, l, 2), 3), 2)}.
This argument can be made more general as follows. Below, in the context of a state we identify each message m with the email m ∅ . Then we have the following result.
Theorem 6. Take a legal state s = (E, L), an email m B ∈ E and an agent j ∈ B such that E does not contain a forward of m by j or to j. Then for any set of messages M such that (M, L) is a legal state we have for any agent k ∈ S(m) ∪ {j} Proof. Agent j is a BCC recipient of m in s, so by the definition of the semantics s |= K j m. We will first show that s |= K j ¬K k K j m. Take some state t such that s ∼ j t. Then by the definition of the semantics there is some group C such that m C ∈ E t and j ∈ C. Suppose that m is a send email, say m = s(i, l, G). For the case that m is a forward email the reasoning is analogous. Let u be the state like t, but with E u = E t \{s(i, l, G) C } ∪ {s(i, l, G) C\{j} , s(i, l, j)}.
Note that we implicitly assume that no full version of s(i, l, j) is already present in E t . If there were such a full version, we could do the same construction without adding s(i, l, j) to E t . Since there are no forwards of m by j or to j in E, and s ∼ j t, there are no forwards of m by j or to j in E t . This shows that u is a legal state and that there are no forwards of m to j in E u so u |= K j m. Clearly, for any k ∈ S(m) ∪ {j} we have t ∼ k u. So t |= K k K j m, which shows that s |= K j ¬K k K j m.
Take now any set of messages M such that (M, L) is legal and suppose (M, L) |= K j m. Then by the Main Theorem there is some message m ′ in which agent j was involved that implies that message m was sent. By the requirements on the legal states we know that there is such a message m ′ of which agent j was a recipient, and not the sender, since agents can only send information they initially knew or received through some earlier message. Since there are no BCC recipients in M , we conclude that agent j is a regular recipient of m ′ that he received from some other agent and that m ′ → m is valid.
Define the set of messages M ′ by Note that (M ′ , L) is a legal state, and (M ′ , L) |= K k m ′ . Since j is a regular recipient of m ′ , m ′ → K j m ′ is valid and since m ′ → m is also valid this implies that (M ′ , L) In view of our assumption that (M, L) |= K j m we conclude that (M, L) |= K j m ∧ K j ¬K k K j m.
In this theorem we assume that for the BCC recipient j of the message m there are no forwards of m to j or by j. The theorem shows that under these assumptions, s and (M, L) can be distinguished by an epistemic formula concerning the message m. We will now show that these assumptions are necessary. We can see that (M, L) is a perfect BCC-free simulation of s: for any formula ϕ that holds in s, if we replace the occurrences of 3 ◭ s(1, l, 2) in ϕ by f (1, s(1, l, 2), 3) then the result holds in (M, L). The reason that we can find such a set M is that in E there is a forward of s(1, l, 2) to agent 3. This reveals the "secret" that agent 3 knows about s(1, l, 2) and then the fact that agent 3 was a BCC recipient of s(1, l, 2) is no longer relevant. Again, for any formula ϕ that holds in s, if we replace the occurrences of 3 ◭ s(1, l, 2) in ϕ by f (1, s(1, l, 2), 3) then the result holds in (M, L). Now the reason is that agent 3 informed agent 2 that he was a BCC recipient of s(1, l, 2) in s by sending a forward of this message, so again the fact that agent 3 knows s(1, l, 2) is not secret anymore.
It is interesting to note that the impossibility of simulating BCC by means of messages is in fact caused by our choice of uninterpreted notes as the basic contents of the messages. If our framework allowed one to send messages containing more complex information, for example a formula of the form j ◭ m, the sender of m could have informed other agents who were the BCC recipients. Then in Example 5 we could consider a state s ′ with By appropriately extending our semantics we would have then s ∼ 3 s ′ and s ′ |= K 2 K 3 s(1, n, 2), and hence s |= K 3 ¬K 2 K 3 s(1, n, 2), so the difference between the above two states s and t would then disappear. We leave an analysis of this extension of our framework and the role of BCC in this extended setting as future work.

Email exchanges
In this section we provide a characterization of the notion of a legal state in terms of email exchanges. In this setting emails are sent in a nondeterministic order, each time respecting the restrictions imposed by the legality conditions L.1 -L.3 of Subsection 2.3.
We define first an operational semantics in the style of [14], though with some important differences concerning the notions of a program state and the atomic transitions. Let M be the set of all messages (so not emails). By a mailbox we mean a function σ : Ag → P(M ); σ(i) is then the mailbox of agent i. If for all i we have σ 0 (i) = ∅, then we call σ 0 the empty mailbox . A configuration is a construct of the form < s, σ >, where s is a legal state and σ is a mailbox.
Atomic transitions between configurations are of the form • s ′ := (E, L), • for j ∈ Ag We say that the above transition processes the email m B . This takes place subject to the following conditions depending on the form of m, where L = (L 1 , . . . , L n ): • send m = s(i, l, G).
We stipulate then that l ∈ L i or for some m ′ ∈ σ(i) we have l ∈ F I(m ′ ). In the second case of the second alternative we say below that m depends on m ′ .
We stipulate then that m ′ ∈ σ(i), and l ∈ L i or for some m ′′ ∈ σ(i) we have l ∈ F I(m ′′ ).
In the case of the first alternative we say below that m depends on m ′ and in the case of the second alternative that m depends on m ′ and m ′′ .
Given a legal state s an email exchange starting in s is a maximal sequence of transitions starting in the configuration < s, σ 0 >, where σ 0 is the empty mailbox. An email exchange properly terminates if its last configuration is of the form < s ′ , τ >, where s ′ = (∅, L).
Note that messages are never deleted from the mailboxes. Further, observe that in the above atomic transitions we augment the mailboxes of the recipients of m B (including the BCC recipients) by m and not by m B . So the recipients of m B only 'see' the message m in their mailboxes. Likewise, we augment the mailbox of the sender by the message m and not by m B . As a result when in an email exchanges a sender forwards his own email, the BCC recipients of the original email are not shown in the forwarded email. This is consistent with the discussion of the emails given in Subsection 2.2.
Observe that from the form of a message m in the mailbox σ(i) we can infer whether agent i received it by means of a BCC. Namely, this is the case iff i ∈ R(m) ∪ S(m). (Recall that by assumption the sets of regular recipients and BCC recipients of an email are disjoint.) The following result then clarifies the concept of a legal state. The equivalence between (i) and (ii) states that the property of a legal state amounts to the possibility of processing all the emails in an orderly fashion.
Proof. Suppose s = (E, L). (i) ⇒ (ii). Suppose s is legal w.r.t. an spo ≺. Extend ≺ to a linear ordering ≺ l on E. (Such an extension exists on the account of the result of [16].) By the definition of the atomic transitions we can process the emails in E in the order determined by ≺ l . The resulting sequence of transitions forms a properly terminating email exchange starting in s.
(ii) ⇒ (iii). Let ξ be a properly terminating email exchange starting in s and ξ ′ another email exchange starting in s. Let m B be the first email processed in ξ that is not processed in ξ ′ . The final mailbox of ξ ′ contains the message(s) on which m depends on, since their full versions were processed in ξ before m B and hence were also processed in ξ ′ . So m B can be processed in the final mailbox of ξ ′ , i.e., ξ ′ is not a maximal sequence. This is a contradiction.
(ii) ⇒ (i). Take a properly terminating email exchange ξ starting in s. For two emails e 1 , e 2 ∈ E let e 1 ≺ e 2 iff e 1 is processed in ξ before e 2 . By the definition of the atomic transitions s is legal w.r.t. ≺.

Conclusions and future work
Email is by now one of the most common forms of group communication. This motivates the study here presented. The language we introduced allowed us to discuss various fine points of email communication, notably forwarding and the use of BCC. The epistemic semantics we proposed aimed at clarifying the knowledge-theoretic consequences of this form of communication. Our presentation focused on the issue of common knowledge allowed us to determine when a group of agents has a common knowledge of an email.
This framework also leads to natural questions concerning axiomatization of the introduced language and the decidability of its semantics. Currently we work on • a sound and complete axiomatization of the epistemic language L of Section 3; at this stage we have such an axiomatization for the nonepistemic formulas, • the problem of decidability of the truth definition given in Section 3; at this stage we have a decidability result for positive formulas, • a comparison of the proposed semantics with the one based on sequences ('histories') of emails rather than partially ordered sets of emails.
In our framework, as explained in Section 3, communication is synchronous. We plan to extend our results to the more general framework of [4], by assuming for each agent a time bound by which he reads his emails.
Another extension worthwhile to study is one in which the agents communicate richer basic statements than just notes. We already indicated in Section 6 that sending messages containing a formula i ◭ m increases the expressiveness of the messages from the epistemic point of view. One could also consider in our framework sending epistemic formulas, a feature recently studied in a different setting in [15].