Protecting Your Company While Protecting Privacy?

gmhowell asks: "After reading this story on Slashdot, it seems to me that I haven't heard of a good proposal from employees regarding their e-mail/browsing privacy compared to the demands that a company avoid lawsuits. I manage a small business and am well aware of how bizarre the EEOC and others can get when it comes to sexual harassment, racial quotas, etc. For example, if a delivery person flirts with a secretary too much, is it UPS who has created the hostile workplace? Nope. It's my company. Similarly, the company can and will be held liable for any e-mail sent that ends in '@familyhealthcarepa.com'. So we really should be monitoring all e-mail, both internal and external. However, most of our employees are trustworthy, hardworking, and not interested in using our system to create mischief and I really don't want to turn into 'Big Brother'."

"Sure, I'll block a URL here or there but spot checking e-mail? How long until some smartass comes up with a .sig containing all of my keywords?

In general, people are going to be more productive if they take their five minute break at their terminal browsing than screwing around by the coffee machine. Along the same venue, I am not interested in tracking 'abuse' (such as hitting eBay, checking the sports scores, etc.) If someone is using that much time that it interferes with their job, I'll be speaking with them regarding their dereliction of duties in general, and not speaking to them about Internet usage in particular.

So, again, I pose the question: what sort of policy and procedures will protect the privacy of employees' surfing and e-mail, while still protecting my company from liability?"

Next software I release...

Will have a clause against use by lawyers. Its only fair, they seem to like doing the same to us.

Re:Private moments.

That's crap. There are no "private moments" at work. People, this is WORK. If it was FUN they'd call it that.

Tell employees to limit their e-mail to a standard comparable to their telephone calls. Too many personal calls/e-mails is a bad thing. How many is "too many" is a matter of judgement on the part of the employee AND the management involved.

If it's not work, save it until you get home.

Now, get back to work you lazy bastards. ;>

Protecting Your Company While Protecting Privacy?

IANAL, and I am looking at this mostly from an employee perspective. some of the ideas suggested either won't work or will cause too much collateral damage.

1. Block outgoing mail? That might be acceptable at some companies, but at most it would cause productivity to nosedive. If you'd rather your employees spend 3 hours playing telephone tag than 5 minutes composing an email, cool.

2. Issue 2 email addresses? An insignificant increase in the time that it takes to read your mail, so it doesn't cost much. But if you say something that gets the company sued, I'm fairly confident that the company will still be on the hook.

3. Filtering software? "It's OK, honey, I've had a vasectomy. The check's in the mail. User friendly. You're the only cutomer that ever complained." Yeah, maybe one day we'll have filtering software that does what it's supposed to, supported by a company with no hidden agenda, but in the meantime I'm keeping it well away from any machine I control.

I like the idea of bringing the employees into the loop before deciding on policy. Given some of the lunatic decisions on what constitutes harrasment, e.g., Sports Illustrated, I suspect that companies really do need to monitor in order to protect themselves. But if they start putting video cameras in the lavatories, I might sue.

BTW, I find it ironic that with some of the dunderheaded decisions that innocent behaviors are harrasment, it can be extremely difficult to collect in cases of genuine harrasment.

Re:Private moments.

If it's not work, save it until you get home.

Hey, no problem. Of course, we'll be leaving for home one nanosecond after the clock says we can leave.

Oh, you wanted more than 40 hours per week of work out of us? Then start paying us for it, you greedy skinflints.

Re:not draconian at all

[narf]

Where I work most of the remote users change positions often enough that they have userids like cn_ast2 (Property CN, Assistant 2), and they still plenty of personal mail.

Re:Totally wrong solution

[Analog]

Bingo.

The law has determined that you need to be held responsible for the actions of any individual who works for you, which requires draconian privacy invasion in order to protect yourself.

So do it.

However, make sure your employees know why you're doing it. Tell them you have no interest in their activities, but must monitor them in order to avoid very expensive lawsuits. Then give them a list of phone numbers and addresses, and let them know if the liability can be changed, so will your policy. You'd be surprised at how many otherwise disinterested people will take an active role in politics (if only by making sure to vote or writing their congressman every so often) when you bring it home to them how these laws affect them on a day to day basis.

A good way to get them motivated would be to explain that most of these laws are created from the standpoint that employees are pretty much considered to be 'company property', and have no inherent privileges or rights; only those granted by the employer (which is why companies can be held liable for any activities which employees engage in, even sometimes outside business hours).

Do a good job of informing your workforce, and they'll think twice about voting for that yo-yo who says he's only trying to "protect the children".

Re:Wierd thought - disallow email.

[Wansu]

Non-work-related email can be handled through home accounts, POP3 to an employee's ISP's mail server, web mail, or what-have-you.

This is a much better way to do things. I don't like sending private emails to anyone from my company account anyway. I use a shell account to manage my private mail. It's only draconian if people aren't given an alternative.

Re:not draconian at all

[Danse]

Most people don't need email access at work.

Huh? I'd say this depends very heavily on where you work. About 95% of the people in my office have to communicate directly with the clients they're working for. This solution would not work at all.

Lawyer: your HO is wrong

[hawk]

I am a lawyer, but this is not legal advice. if you need legal advice, consult an attorney licensed in y our jurisdiction.

I assume you mean the fifth, but it doesn't matter: it is about governments. It *does not* apply to individuals. It also does not apply in civil cases--your refusal to testify in a civil case *can* be held against you.

hawk,esq.

What about when it was someone's fault?

[bkosse]

I get what you're driving at with your second point, but what about the times when someone is responsible and it's not a case of someone trying to make a quick buck? I say we need should start something along the lines of damage mitigation with immediate disclosure and remedy attempts, though. Possibly punative damages can't result from when a company has publically and effectively acknowledged a defect. Immediate effects (like hospital bills, etc) can be sued to recover, but not punative damages.

--
Ben Kosse

Suggestions for a Saner Workplace

[jd]

Here are some thoughts on how to make a workplace sane, given the current lawsuit-happy environment and the problems of abuse, vulnerability, etc:

• Have "Safe Rooms". These rooms are officially =outside= the company, have a different IP address and domain name, have a different phone number, and are essentially "safe havens" for which the company can legitamately deny any responsibility.
• Make available to ALL employees copies of:
  • The Verbally Abusive Relationship
  • The Road Less Travelled
  • Healing The Shame That Binds You
  • AA's "Big Book"
  • AA's 12 & 12
  • People of the Lie
• Provide personal alarms to all employees, with the understanding that it's not "being weak" to use it.

(I'm sure there are other excellent books, too, those are just the ones I can think of which help people to figure out where they want to draw their limits, to recognise warning signs, and to work out any issues of their own, without the company needing to get involved.)

IMHO, this is exactly the same fight that mill workers had with mill owners, at the start of the Industrial Revolution, and has exactly the same answer as Robert Owen determined. An educated and sane workforce works better than a hurting and hurt one.

Re:Suggestions for a Saner Workplace

[slashdoter]

(I'm sure there are other excellent books, too, those are just the ones I can think of which help people to figure out where they want to draw their limits, to recognise warning signs, and to work out any issues of their own, without the company needing to get involved.)

This is a far better way to handle these types of things. If you let people blame the company for all there problems things just get out of hand. I like the idea of a 'safe' room. You could make a little library so people can help themselves. BTW one book I would add is The gift of fear.

________

Don't allow personal email

[Malc]

Seeing as everywhere I've worked has clearly stated that they can examine my email, etc because it's on their systems etc... I've stopped using it for personal stuff. With free services like Yahoo that have a web interface, there really is no need to use company services for personal stuff. I don't know if such an approach shifts responsibilty from a company when there is abuse... I'm just more concerned with my own privacy.

Re:Big Brother doesn't have to watch

[Ex-NT-User]

How much do You trust your Boss?

Point being is that a LOT of companies are already using these tools and that majority of them do this with no intent to spy on their employees. But there have been many cases in the news about employees being fired for their "browsing" habits by various companies. Which only means that some companies ARE spying on their employees. And that boils down to how much do you trust your company?

Ex-Nt-User

Re:CAUTION: NON-COMPETE

[Jeff+DeMaagd]

Personally, I don't think so. All it is saying, if you are running a side business, don't do it at your main job. Don't make them pay your expenses and your time for that side job.

Don't use company resources for the sole betterment of your own enterprises. It's common sense to me. Your addition makes it a little clearer though.

Annoyingly, IANAL either.

Re:Apply open-source principles to the problem!

[Effugas]

Unfortunately, putting something on the Internet is being legally interpreted as "publishing" - and this applies to e-mail as well. (much e-mail ends up forwarded and put on e-mail list archives, etc)

That a conversation can be recorded doesn't mean it automatically is.

Do you have a responsibility, as a business owner, to see what you are "publishing"?

Unfortunately, the answer seems to be "yes".

You're beginning to touch upon why business is starting to fight for effective instant messaging.

But, people don't resent an "open" solution if they know it's there. Nobody minds a camera posted over their head if it's obvious, especially if they can SEE what's being/has been recorded.

Your grasp of reality fails here. Several unions have been known for "accidentally" destroying biometric readers because they didn't even want their *fingerprints* recorded, let alone their words, thoughts, and actions.

Look up the wars, incidentally, regarding audio recordings on security videos.

--Dan

Contextualizing Email

[Effugas]

Stop.

This presumption that all emails can and should be logged comes from the presumption that emails are equivalent to official memos from the corporation.

They're not, and shame on anyone who would argue differently.

The fact that harassing comments may be spoken at the water cooler does not obligate the company to install an audio recorder at that cooler. The fact that harassing comments often are spoken over telephone lines assuredly does not obligate a company to record all calls made to and from the office building. The fact that E-Mail can occasionally lead to harassing comments as well does not obligate the company to violate the privacy of its workers.

Now, given an active suspicion(usually brought upon by an aggrieved party commenting to his or her manager), it's justified ethically to verify the charge by watching traffic in a limited manner. We wouldn't want someone to lose their job without their sins being proven.

But to say that employers are mandated by government to spy on everything their workers do obscures the fact that the government itself is mandated a privacy violation infrastructure be built into every single workplace in the name of "protecting us from ourselves."

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:From the Linux Capital Group employee handbook

[Bruce+Perens]

IANAL. Postulate that some employee committs an offensive action and the company is sued. I go to court and prove that I took all reasonable precautions to prevent the employee from carrying out an offensive action. Am I still liable? Maybe. Does my insurance cover it? Probably. Is my insurance company happy? Not entirely, but they have no real complaint since I took all reasonable precautions.

You can't eliminate risk. You thus work to mitigate it as much as possible.

Thanks

Bruce

I really think it's fair.

[Bruce+Perens]

The company should not be forced to be your phone company or your internet provider. If you could only speak through the workplace, it would be different.

Bruce

Re:I really think it's fair.

[DaveHowe]

The company should not be forced to be your phone company or your internet provider. If you could only speak through the workplace, it would be different.
Hmm. I can see this with the internet (while things like online banking make this a borderline decision, as most online banking sites are more convenient than phone banking) I can't agree with the phone - most companies accept that *other* companies don't deal outside of business hours, so employees are likely to need to make the occasional personal call to a bank, utility or doctor that would otherwise need them to travel to the place of business or find a payphone. Some provide a small room with a desk and payphone for "private" calls, but the majority just roll in the small cost of these calls as overheads and ignore them (provided they aren't abused of course).
In fact, a current English law is still pending because in effect, you would require the formal permission of *both* participants in a call not to be committing a crime that carries a jail sentence; they are working on alternative wordings that allow sensible monitoring without allowing anyone but the government a snooper's licence (now that they have one, they are jealous of anyone else getting one)....
--

Not meant that way

[Bruce+Perens]

It's not meant to be a non-compete, but I see your point. The particular situation that came up is that we found a really good deal that essentially nobody knew about, that got worse if more businesses participated. One of the employees wanted to take advantage of the deal for his own business in a way that would sour it for us. So, I asked him not to do that, and he agreed not to. But you are right that it should not read as a conventional employee non-compete, and I will fix that.

Thanks

Bruce

From the Linux Capital Group employee handbook

[Bruce+Perens]

It's OK to use this text under the GNU Documentation License. I plan to put the whole handbook out as free software when I have time.

Bruce

Systems Use and Privacy

In order to facilitate communications and business operations, the Company uses a number of devices, objects and systems. This includes but is not limited to mail, e-mail, telephones, desks, common areas, cabinets, files, computers, networks, passwords, voice mail, etc. Access can be made by the company to any or all of these items or systems at any time. Employees should not assume that contents of messages are confidential and will be only reviewed by the employee.

The Company does not guarantee the security of the Company's systems, computers or telephones. If you need to communicate in a secure fashion, do it outside of Company buildings and without using any Company equipment or facilities. We employ technical experts who are able to read your computer data and tap your phone.

Members of the executive staff, the employee's supervisor, or another employee at the direction of a member of the executive staff, may access, monitor and act on any message or communication or data in any system at any time and may view and consider and act on the contents of any item provided for use in the normal course of company business.

None of this, however, conveys authorization for any employee to eavesdrop. The email, files, and other communications of your co-workers are not your business and you are to avoid situations that would expose you to them unnecessarily. "Snooping" is unethical and you are liable to be terminated if you engage in it.

Our systems are never to be used for pornography, email spam, ethically questionable or unprofessional activities. Internet service is widely available outside of the Company at low cost. Do not consider us to be your "Internet provider": our Internet facilities are only for work. Internet communications that are not part of your job should be carried out using an outside internet provider, a non-Company email address and non-company URLs.

In a nutshell...this means don't be doing nasty or illegal things in the office or on our networks. Respect the fact that your co-workers have access to information on the network and the computers and they would like to be able to respect you in the morning. The Company reserves the right to inspect information and work environment at any time, with or without notice

No Personal Businesses On-Site

It is understandable that many of the Company employees are entrepreneurs and may have one or more companies or separate enterprises, outside of their interest in the Company. It is our desire to nurture and respect the mindset of the entrepreneur. However, under no circumstances shall any employee of the Company run their own company at or through the Company. The use of the Company resources to conduct said business is strictly prohibited. All such enterprises shall be conducted completely off-site and shall not in any way be connected to or interfere with the normal operation of the Company

It is understood and accepted that occasional phone calls will need to be made or taken with regard to personal business. However, there shall be no routine phone calls. There shall be no connections with your personal enterprises and the Company. You are not authorized to use computers, addresses or other Company property, licenses or identification numbers to conduct your personal enterprise. In addition, you shall not use to the advantage of your personal enterprise any business information acquired on the job, at the Company.

Re:From the Linux Capital Group employee handbook

[ilsa]

I like this a lot. The only thing I would add is something to the effect of "Never put anything in an email that you wouldn't feel comfortable saying to your boss, your mother, or a judge." This is my own test for email, both personal and company. I bet Microsoft wishes certain employees had used it as well!

Re:From the Linux Capital Group employee handbook

[update()]

OK, but (for the most part) this begs the question. You make this policy clear to everyone - and someone violates it, and someone else sues you. Are you liable?

Buried in all the language about undestanding and respect, is the real answer to the question:

Members of the executive staff, the employee's supervisor, or another employee at the direction of a member of the executive staff, may access, monitor and act on any message or communication or data in any system at any time and may view and consider and act on the contents of any item provided for use in the normal course of company business...The Company reserves the right to inspect information and work environment at any time, with or without notice.

---------

It is my opinion...

[boinger]

If you have to monitor your employees that much, you need new employees.

I don't pretend I don't screw around during the day (for instance...now), but I think I am entitled. I work faster than average. I implement job-lightening scripts and procedures. My ultimate goal is that I implement a system that merely requires me to be somewhere in town if something goes wrong.

So, if I'm endlessly reducing my workload (as part of my job), why wouldn't I have time for personal "stuff".

If, however, I were doing illegal activities, it would be my own issue, and if it became apparent, then I should be terminated.

Re:It is my opinion...

[rhombic]

The monitoring has nothing to do with employee quality, it has to do with what the fscked up legal system in this country demands of people who own things(i.e. business owners): accountability as to what gets done with things they own.

The same issue pops up with drug testing : it's not really needed, and seldom catches anyone anyway, but if you don't do it, and a crack-smoking employee drives a dumptruck into a schoolbus, you're dead. If you've had drug monitoring, you can say "we excercised due diligance in maintaining a drug-free workplace. This guy never showed positive for crack before". You're still fscked, but probably not as badly as before.

Of course, IANALAIDPOOTV.

Re:law

[unitron]

Shouldn't the law be the same regardless of the marital status of the secretary?

You need a legal opinion not a tech one

[gelfling]

Even if you monitor what are you monitoring for? Who does this protect? While it may afford the company the excuse that they can go after an employee it does not protect the company from anything per se. Moreover if you have an official policy of monitoring AND ALSO filtering then the company is setting itself up to NEVER send out anything that is in violation of the policy. That is, if you claim you are in compliance then you in fact HAVE TO BE in compliance and you may be exposing the company to even more trouble. In this case the liability is clear regardless of who sends out the offending email. Therefore you again have not actually protected the company from anything unless you the email admin can guarantee the process.

You need to consult an attorney. You may also want to investigate some kind of business insurance to cover litigation and damages that may result.

Re:You need a legal opinion not a tech one

[gmhowell]

>You need to consult an attorney. You may also
>want to investigate some kind of business insurance to
>cover litigation and damages that may result.

Done and done. That wasn't the point of my question. The point is: what is too much to an employee?

Why not ask my own employees? Not technically savvy enough to give an educated response.

BTW, part of the problem with the US is that we too often feel that the legal response is the correct one. Sometimes, one has to do what is right, which is what I am attempting to do in this case. As mentioned in an earlier post, blocking all email except for a few is the safest policy from a legal perspective. However, it's also the least kind to employees who have not done anything wrong. I have no desire to throw out the baby with the bathwater.

As far as being compliant: welcome to the United States. I manage a business with > 50 employees. Therefore, I have to be as compliant with every bit of personnel law as General Motors and Microsoft. Whether or not we claim compliance has nothing to do with it.

The point of this is not to go after the employee, as you seem to imply. It's to cover my own butt, while not pissing them off.

Re:You need a legal opinion not a tech one

[KahunaBurger]

Moreover if you have an official policy of monitoring AND ALSO filtering then the company is setting itself up to NEVER send out anything that is in violation of the policy. That is, if you claim you are in compliance then you in fact HAVE TO BE in compliance and you may be exposing the company to even more trouble.

Wrong.

Lets say the magic words again, everyone : "good faith effort" Aside from the (IHMO sexist backlash of) hysterical overreaction to sexual harrassment claims, the reality is very different. You as an employer are not held responsible for everything an employee does. But you are responsible if you condone it, if you have policies which make it easier on the harrassers than the harrassed, if you don't take early complaints seriously, etc. If you have a policy, you tell people where they can complain, and you make a good faith effort to follow up, you do not have a problem.

Then again, in the real world (outside of the backlash hysteria) a lot of individuals and companies don't have a problem even when they don't do it right. (begin rant)

Real life example. A lifegaurd for a city pool sued the city because of pervasive sexual harrassment by her supervisor. The city had a sexual harrassment policy and displayed it at city hall, but the employee worked only at the pool and never saw it. When she tried to complain to her supervisors superior they lied/didn't know better and told her that there was nothing that could be done about it. One of the lower courts ruled that even though they had completely failed to do anything useful with it, the city was still protected from the complaint just because of the existance of a formulated policy. (in this case even a bad faith effort is ok, apparently). The case was under appeal when I heard about it, I don't know the final outcome.

Another real world case for those who think a flirting UPS man will lose them their business. large supermarket chain had a store manager accused of sexual harrassment bordering on attempted assualt. Their solution to the problem was to maintain his "rank" but switch him to another location where no one had heard about his past behavior. There he was given enough athority over a small enough crew that he could one night order everyone home but one woman at lockup time and rape her in his office. When she found out about his prior complaints and the way the chain had responded to them, she sued. On her last appeal, the court ruled that the chain had not acted in negligence, and she had no standing for such a claim. They did say that she could file a workers comp claim, because the "injury" arose out of normal work conditions. Wanna guess which state thinks having a known sexual predator arround is just something the company can't be expected to change? Massachusetts, home of the "liberal, activist" court.

Now I keep hearing people rant about these overeacting sexual harrassment claims, but I've never actually heard a authenticated, or even first hand report on one. Out in the real world, it looks like the companies can protect themselves just by having a policy, distributing it and sticking with it, harrassers can protect themselves by being "good enough" that their supervisors turn a blind eye or reassign when too many people complain, and the harrassed can protect themselves.... how? I don't know. make a complaint and hope anything useful happens, then go out and listen to your friends complain about the nuetered corportate culture they're imagining.

Rant over, gotta go to bed.

-Kahuna Burger

Re:Private moments.

[ocie]

The problem with this is that it places an unnecessary burden on the employer to police and spy on its employees. Come on now. If I write a threatening letter and drop it in my company's outbound mail box is it really the company's fault? Why then should the telephone or email be any different? If I have an illegal website running from my apartment, should my landlady be responsible for that as well? What ever happened to personal responsibility and the idea that we are presumed innocent until proven guilty?

Re:How is Paper Mail Handled?

[pimp]

It would be great if we could put the onus of responsibility taking care of email on the users, as in the example SEWilco raises. However, email is not currently regulated by the same set of laws. I believe that postal mail is protected from tampering in the U.S. by federal statue, e.g., it's against the law to read postal mail not addressed/delivered to you.

Why is email treated differently? Email is not handled exclusively by federal employees. Does that mean that Joe User should trust their local postal employees more than their email admins? I suppose that depends on the employees and their email admins, but while immoral and probably subject to civil court, it is not a federal crime to read someone else's email.

If you don't like it, write your senators, representatives, and everyone else who can affect a legal change.

CAUTION: NON-COMPETE

[Signal+11]

"In addition, you shall not use to the advantage of your personal enterprise any business information acquired on the job, at the Company."

This could be construed as a non-compete clause. In many states, these are unenforceable. You probably want to amend this to reference "trade secrets" and/or "business practices" instead. You can't tell me that as a web developer if I learn CSS or Javascript on the job I can't use that knowledge elsewhere. The whole point of employment is building your career and aquiring new skills. That statement is contrary to this basic principle of employment, and would be legally unenforceable, if not ethically questionable as well to request.

Now, using the same analogy, if as a web designer a company I worked for designed a new dynamic backend to deliver for, say, news content, and that backend contained alot of new ideas and features not found elsewhere in the industry and where knowledge of that (if aquired by competitors) would cause material harm to the company, then yes.. such knowledge should be protected. However that should be done in a seperate document and made explicitly clear to employees both at the time of employment, and at periodic intervals afterwords (if it is that important, you should take great pains to ensure everyone knows this - due diligence).

Yes, I know you don't mean this to be a legal document, but as a policy document for a company, it could be used in legal preceedings, however IANAL.

Re:CAUTION: NON-COMPETE

[mccrohan]

I think that 'business information' pretty clearly != 'personal skills'. Business information would include things like the trade secrets and business practices you mentioned (upcoming plans for the business and its customers/suppliers, for instances) as well as business contacts - for instances, trading on your position as a representative of the company to get deals for your personal ventures.

Re:Put simply...

[Bob+McCown]

We have the opposite problem here. There's one guy that surfs pr0n sites during the weekend, yet gets lauded in company meetings for putting in long weekend hours. We've provided proof (HTTP sniffer logs) to HR and management about this, and they keep turning a blind eye. Whats our next recourse against this guy?

Privacy isnt the problem, Politcal Correctness is.

[BrookHarty]

Companies only monitor e-mail for 1 reason, Political Correctness law suits.
When companies have to pay millions for dirty jokes/etc, we end up in this draconian state that we have now.
Common sense is no more, so laws are passed to regulate it.

You may resume your daily illusion.

-Brook Harty

Wierd thought - disallow email.

[Christopher+Thomas]

If your company is liable for any email originating from it, then a logical solution is to block outgoing email from most users. Give the company a few official contact people who talk to clients directly, and act as go-betweens for other work-related email.

Non-work-related email can be handled through home accounts, POP3 to an employee's ISP's mail server, web mail, or what-have-you.

This is draconian, but it does virtually eliminate the problem of liability for outgoing email. Internal email management is left as an exercise to the reader.

Re:Wierd thought - disallow email.

[Narcischizm]

But you've slightly missed the point. It is true that the most publicized correspondence has been internal mail/memo/fax. But companies are responsible for email from their own domain. Your post assumes that it is something damning to the company, as in the racial slurs being used in training, or tobacco company internal correspondence, etc. Sexual harrassment as an example. If your employee is sending dirty loveletters to a person in another company within your companys domain, then you, as the employer, are legally responsible for that employees actions. These case aren't exactly as publicized as the M$ DOJ case, but it still happens.

Re:Wierd thought - disallow email.

[Master+Bait]

Sieg heil to you, too!

I've been self-employed for about 5 years now and am boggled to read about how the corporate world on the 'outside' has turned into a bunch of good little nazis running around putting their heads up other people's asses. Nothing personal, I could have responded to several other good-little-nazi posts, too.

Doesn't liability insurance cover stupid f*cking email indescretion lawsuits? It covers MINE!

blessings,

Re:Wierd thought - disallow email.

[fxars]

You've lost the point. Most of the legal problems companies have had with email have been internal emails sent within the company. Remember Microsoft? The emails the government has used against them were mostly internal. The New York Times firings were over "inappropriate" emails between employees, not external emails.

Re:Wierd thought - disallow email.

[aaronhaley]

In this day and age most people require external email to do their jobs. At least in many business sectors. And in many cases you can still be held liable for email they send through other accounts on the job. If they are doing it while at work then you are liable.

Re:Wierd thought - disallow email.

[skyrytow]

This is being done right now, brokerage firms require that all outgoing communications be reviewed by a compliance officer, this includes email and fax. Email is allowed to flow within the organization but if it is going outside it has to be approved. A good idea if you ask me.

Re:Wierd thought - disallow email.

[e*2]

Do your backup tapes exist for more than six months? If so, your comapny's policy is effictively worthless for avoiding such situations.

Re:law

[afc]

What we all are waiting for though, are laws that protect the majority of ortography abiding posters from the privileged minority of spelling-challenged ones.

On an even more pedantic note, I know of no country in the West where women are a "minority", no matter how much the gender gap at your CS classes might tell you otherwise. And to put the icing on the cake, I believe "lewd" speech is as much protected as prayer is.
--

Re:law

[afc]

This makes absolutely no sense, I can publish a scientific magazine that uses the word 'fuck' in every other sentence (never mind context :-) and there's no judge or law enforcement authority that will shut me up on grounds of obscenity.

No matter how much the religious right may have impregnated on people's minds, "free speech" doesn't protect speech against a government one doesn't like particularly, it protects all speech, even the proverbial "fire in crowded theater" cliché (the difference being the legal consequences of said speech).

Unless we have a large disagreement as to what lewd means (incidentally, it meant "lay, laical" originally) you are way off base here, my friend.
--

monitoring may expose you more

[jetson123]

Why again do you think you have to record all E-mail? Are you supposed to listen in on all telephone conversation and bug people's offices as well? Who is going to pay for the effort that that kind of monitoring requires?

I don't think monitoring is feasible. In fact, it may you expose to even more liability because it puts you in the position of being able to discover problems, and the presumption then may be that you knew about a problem but chose to ignore it.

I'd prohibit any personal use of company E-mail (there is no need for it--web-based mailers provide an excellent alternative), have a clear policy on how employees can get help with problems, and indicate to external recipients of E-mail messages (in a header or signature) who they can contact in case of problems with mail they received. But if it really worries you, why not talk to a lawyer?

Explain to employees

[Silver+A]

Explain to your employees what you've said - any mail going out with @mycompany.com exposes the company to liability, etc. Encourage them to keep the company name off personal business. Maybe also as part of your employment contract, make the employee indemnify the company against personal unauthorized actions which expose the company to liability, and explain this in interviews and when the employees start. If you explain to people why you have certain restrictions, and the explanation is reasonable, they're much more likely to comply with them.

Re:Encryption policies?

[swb]

In the situation I described a self-incriminatory situation. But what if they said that the use of encryption they didn't control was in and of itself wrong? Can you bounce an employee just for sending "hello world" with a private pgp key?

Encryption policies?

[swb]

What about policies regarding the use of strong encryption in the office? For example, what if I do my "off limits" business at work in a completely encrypted fashion, but for whatever the reason the light of suspicion falls on me. If I refuse to reveal my key(s) which can then reveal the evidence against me, should the company be able to fire me because of that?

In other words, should there be an organizational policy on encryption? Such as something like:

"Only organizationally issued [and hence escrowed] encryption software and keys may be used to secure communications. All other encryption may be construed as evidence of prohibited behavior." or some other kind of legalese.

To me this seems more draconian, but at the same time if the stated goal is maintaining comapany control over the computers and the data, I can't see how you could allow an encryption free-for-all without causing problems.

Re:Encryption policies?

[Centove]

Well the refusing to divulge the key would, IMHO, fall under the fourth amendment in the US. In that you are not required to incrinate yourself.

A stretch? Probably. A good lawyer could probably do a convincing enough argument.

Re:Encryption policies?

[Frank+T.+Lofaro+Jr.]

Fourth Amendment binds the gov't, not your employer. Unless your employer is the gov't. And maybe even then, it only applies in the context of gov't-citizen, not gov't-employee of gov't. Same with the Fifth Amendment.

Also, Fourth Amendment=search and seizure, Fifth Amendment=no self-incrimination.

Re:How is Paper Mail Handled?

[Sloppy]

When I send a paper letter to you, does your company have people who review every letter which is received or sent?

Actually, almost all mail that I receive at work (which is very little) is opened by the secretary long before it gets to me. And that's good too, since she usually can recognize junk mail and throw it away before I see it.

If it's personal (e.g. all those love letters from Morgan Fairchild), it is sent to my home, not my place of employment.

---

Re:not draconian at all

[Sloppy]

What they need is "work" mail as opposed to personal mail. Perhaps this can be fixed by giving them a boring mail address such as sales05@company.com or support@company.com instead of joeschmoe@company.com. That might help keep other parties from thinking that it's appropriate to use that address for chatting about Joe Schmoe's girlfriend's hemmoroids.

---

not draconian at all

[kaisyain]

Most people don't need email access at work. Just like most people don't need access to letterhead or a company credit card.

You'd still be letting them access their personal email from work -- so it's not THAT draconian.

And they can still communicate via email internally.

Re:not draconian at all

[scumdamn]

Where I work, we need to communicate directly with customers and send them files as attachments, etc.
Our company has gone the opposite of what you suggest and disabled communication to/from port 25. So we can recieve home email, but can't send.
Well, that is, most people can't.

Re:not draconian at all

[TheCarp]

Could setup a second domain just for personal email and give all employees the option of setting up an adress there.

Then stipulate that the real company name adress is ONLY for offical things, like answering support questions, contacting vendors etc.

A way to verify contents without snooping

[wtpooh]

I have always wondered about the use of email evidence in court - it would be relatively easy for company A to invent nasty email messages from company B, all the way down to A's incoming mail server logs. If company B was not archiving all outgoing mail, it would have no way to prove that those emails were not genuine.

So, what if the B's mail server logs only a checksum/hash of all outgoing mail? Then B would have evidence that could counteract A's account, but would not need to be intrusive or store huge amounts of email forever. While having each user PGP sign their documents would serve the same purpose (and be more reliable, since it would provide definite proof of a forgery), this system would be much easier to implement on a companywide basis.

Log Email

[weston]

Keep a copy of all email sent, but make it clear that company policy is not to search it unless there's a complaint of abuse. Hopefully, the consequence would be that the employee realizes there's a record kept of everything they send, and that will make them more responsible.

I know this sounds a little bit like those stupid voluntary privacy policies that people like doubleClick have. But you're not them. You're a small business concerned about balancing privacy with responsibility. You might be able to handle it.

Also, I really think that with the number of ways that someone can send and receive email today on the net, use of a company account for personal business is really not a must.

Full disclosure

[sterno]

If you feel that it is important to protect your company from legal liability by monitoring employee use of systems, then you should make this clear to them. Time after time I hear stories about how some company was secretly monitoring employees and caught them doing something. Rather than treating it as some sort of game where you are trying to "catch" people, just tell them you are watching, how you are doing so, and also explain why.

---

Protective Measures

[HerbieTMac]

IANAL, but I have a friend who works for a law firm (That must lend me credence, right?)

In any event, all of her e-mail which leaves the office has a tag attached to it, identifying it as the sole property, expression and views of the writer. The same sort of disclaimer should be applicable in your case.

Re:This is (going to be) unpopular, but...

[Teun]

I find it curious how you in the US differ so much on this subject (privacy) from us in Europe (with the exception of the UK wich is to all purpose a police state).
Our freedom of speech is not as pronounced as the US version, for example we can not legally promote hate like nazism.
But we have a lot more protection when it comes to privacy, regardless where we are.
Only after a company is informed that their systems are being abused can they start to investigate, usually under very strict rules and conditions.
For example here in Holland the elected employees committee has to approve of the methodes to be used.
Although the law is not quite clear most people expect the same protection against reading of their E-mail as there is against the unauthorised opening of ordinary mail, WHY NOT?
When an employer needs the tool of tabs on internet and phone use to assure their employees are puting in their money's worth of work there is something rotten in the system.
Modern companies set productivity targets and when people are meeting them it's rather unimportant what else they do!

What about webmail?

[nut]

What if I use a web interface to something like hotmail to send personal email? Is the company still liable because I've accessed my webmail on a company workstation?

Re:How is Paper Mail Handled?

[nut]

Do you believe that the fact that email is more informal means that they require more monitoring? If we applied that policy to phone calls, which are just as informal in nature, then companies should be monitoring every phone call an employee makes in case they, "say something inappropriate."

Re:How is Paper Mail Handled?

[zericm]

When I send a paper letter to you, does your company have people who review every letter which is received or sent?

No, I'm certain the paper mail is simply delivered to your desk.

Not at my company. We are heavily regulated by the goverement, so most paper mail that goes in and out of the compnay is scrutinzed very closely.

The responsibility with paper mail is with the individuals.

Why change things for electronic mail?

Because, unlike paper mail, electronic mail can last forever. It is very easy for me to write a letter by hand, then send it away with instructions to be destroyed by the recepient. The only copy is gone, with no record that it ever existed.

Email is different. All those bits get backed up on a regualt basis, and then can be used in a court of law. I offer Microsoft as an example of this. What might seem like a personal message, could have significance in a harssment or wrongful termination case.

Having cake, eating too.

[lythander]

Being in a similar situation, I have also pondered this koan, and believe it truly unsolvable. You want to to only monitor true abuses, not minor nit-picky transgressions, and respect privacy as much as possible.

Can't be done.

You need must monitor every email is you're to catch those creating true liability. You must log every page view if you're to catch the porn surfers. If you sample these things, those you catch can accuse you of singling them out. If you smple, you might miss some doosies. And as the filter companies have shown us, these sampling and filtering methods do not work (yet?).

Perhaps what you need is a modest plan involving user education, a written policy protecting user privacy and agreeing to full disclosure when it must be violated in the course of some investigation, and enough documentation to demonstrate due vigilance wrt these issues in case a suit arises.

In the end, those who want to bad enough will screw everything useful up for everyone. The trick isn't on preventing it so much as being able to prove that you made every reasonable attempt to prevent it.

Totally wrong solution

[FascDot+Killed+My+Pr]

Why are you looking for a good way to comply with a bad law? The problem is the law--fix it! Yeah, yeah, "I can't afford court fees", etc, etc, etc. Write your congress-critters (federal and state), talk to city/county councils, get your voice out there! These things can be fixed without resort to courts and expensive lawyer fees.

Better yet, pay attention to current bills being considered. An ounce of prevention....
--

Re:Totally wrong solution

[gmhowell]

Not sure why I hadn't considered this before, as it has helped with some other policies we've been forced to introduce. This will receive some consideration.

Re:Totally wrong solution

[gmhowell]

Done and done. FWIW, my company (at my behest) tried very hard to prevent the UCITA from being passed in Maryland.

Guess what? Didn't work. Spineless idiots.

OTOH, remember that this is in response not to written laws but rather to poor interpretations of existing laws by judges. It might have been 'Database Nation', but there was a book I read this summer that talked of the absurdity of the sexual harassment laws/interpretations in particular.

Re:Totally wrong solution

[rdemanow]

Oh please, that is a pretty idealistic thinking, just get your voice out there the law will change.

Well, that's how it's supposed to work!

The primary reason that it doesn't work that way, is the fact that those at the tops of the big companies with clout profit from these laws that make their employees suffer.

Both the sexual harrassment laws, and the privacy laws that are currently on the books are bad, and need to be changed.

You're right, InsaneGeek, they probably won't be changed in my lifetime.

Why? The reasons are actually quite simple:

1 -- People don't know about them. Take for example the Sonny Bono Copyright Extension Act that was passed in 1998. The only people who knew about the subcommittee hearings on that bill were the companies who lobbied for it to begin with, and who benefit from a law that harms the vast majority of the US population. It was never publicized, and therefore anyone opposed to it was excluded from testifiying at the hearings. Presto, we have another bad law.

Thanks to all the bull$#1t lawyer-eze written into these things, people also don't know whether or when such laws might or might not apply to them.

2 - Those in power don't listen. Why should they? What are we going to do? Vote them out of office?

They have us so convinced that our vote doesn't make a difference that over 70% of those eligible to vote don't bother anyway!

Replace a Republican with a Democrat (or vice versa) and all you get is a change in which tax goes up to pay for all the new bad laws they'll make trying to return the favors garnered from all those huge campaign contributions from the big companies who want to protect themselves from being sued by the people they've wronged.

No, InsaneGeek, FascDot is quite right. The laws need to change.

Re:Totally wrong solution

[InsaneGeek]

Oh please, that is a pretty idealistic thinking, just get your voice out there the law will change.

If that were as easy as you seem to make it be, I'm pretty damn sure that the fortune 100 companies who have a LOT more pull in local, state, federal government than government would have had it done already; instead of paying out the HUNDREDS of millions of dollars they have out for sexual harrasement settlements. In the YEARS that it will take to get any change with your "get you voice out there", that if you don't comply with the law you are in for a good old beating. I'm pretty sure that enforcement of that law is not going to listen to the excuse of "It doesn't apply to me, I'm getting my voice out."

What you are saying is some of the worst advice I've ever heard, sure it will eventually work after years and years of fighting; but hey my company has to close shop because I didn't think that I should comply with the law that is currently on the books.

I love the "ounce of prevention" statement, you first state that he shouldn't try to comply with the law to PREVENT a problem from happening, and then state "An ounce of prevention"... now that's comedy.

Spelling & grammar checker off because I don't care

subdomain for private use?

[lydon]

Why not give your employees email adresses in a subdomain? For example: user@private.company.com

Combined with a note on your webpage, company terms and so on, this could be a legal wrapper against such 'attacks'.

Re:subdomain for private use?

[TheCarp]

Will anything EVER cover you "Legally for sure"?

Doesn't it really depend on what judge you get, how good your lawyers are, how good their lawyers are...the phase of the moon, and what judge you get on the apeals...yadda yadda...who currently makes up the supreme court etc...

Nothing is totally for sure when it comes to law.
Well nothing except the fact that your tax dollars are paying for it to happen
-Steve

Re:subdomain for private use?

[Frank+T.+Lofaro+Jr.]

But you only need to buy a relatively cheap judge to get you off if you have a disclaimer. The judges that will let you off without a disclaimer are much, much more expensive.

The disclaimer is much more cost-effective, you see.

Re:How is Paper Mail Handled?

[gmhowell]

>Why change things for electronic mail?

You'd have to ask the courts. They are trying (and succeeding) to reinvent the wheel.

If 2600 had 'merely' printed the code in an issue of their magazine, there would be no case.

Re:This is going to be unpopular, but...

[gmhowell]

They might be a smartass, but they would be a bright smartass. Someone cognizant enough of their situation to try to change it. That person should quite probably deserve more responsibilities.

I'm not saying they aren't a malcontent. But how many smart people on /. would do something similar just out of boredom?

Re:Bizarre Assumptions, Good Advice

[gmhowell]

Nowhere did I imply that gaining millions in a civil suit is either easy or necessarily possible. But in a legal climate where nearly every claim, regardless of its absurdity, is given time in a court, it is impossible to predict what a court will force me to pay to defend. And this is not simply monetary costs. The costs due to a loss of reputation, and the time involved could possibly be devastating.

As far as having intelligent employees, yes, that is the bulk of our staff. However, when unemployment rates are as low as they are, finding new staff that is competent (and by this, I mean that they can alphabetize) becomes increasingly difficult.

We have phone policies. We have fax policies. But if you reread the original question, you'll see that the purpose was to garner what seemed to be a reasonable policy regarding the internet and email (not yet implemented in our office for a variety of reasons).

With few exceptions, I have gotten few, if any, reasonable responses to my question. It is very easy for slashdot to bemoan the practices of companies. Yet when I asked for a policy that takes into account both their needs and those of the employer, the responses seem to be:

Screw 'em. You gotta cover your own ass.

-or-

It's your job, not mine.

As long as that is the mentality that exists when one tries to get the opinions of /., I'm afraid that it will always be viewed as a fringe group with fringe opinions.

I must also state that I'm quite dismayed that Mr. Katz has not chimed in. (or at least he hasn't yet been modded up. Perhaps a recheck is in order). Despite his constant protests of the hegemony of the American Corporate Culture, when given a chance to voice constructive criticism, he is nowhere to be seen. Perhaps those who denigrate him are correct. He is a reactionary with little to offer to the conversation.

But on slashdot, it seems he is not alone.

(btw, for those who must flame, the mail server is at olg.com)

Re:I would say speak with the employees

[gmhowell]

This is probably what we will do in conjunction with some other ideas. The problem is that the company is right around 50 employees. At that point, with the facilities available to us, things start to get difficult to handle. As a matter of fact, most of the problems are due to the fact that we are large enough to need more formal management, but not large enough to afford it:)

Not draconian, but a reality...

[MacKay]

I used to work for a state agency (judicial branch), and the entire agency was completely ridiculous about both email and internet access. (No joke, the head of the agency initially did not want us to have email because he thought that meant that people could randomly hack into our Word files and read protected documents.)

Before we were allowed access, we had to sign two or three pages of disclaimers and such stating that we were aware that we "had no reasonable expectation of privacy" in our email or internet usage, and that the agency could peek into it at any time, with or without cause. It also stated that email and internet access were for work only, and had some language stating that minimal or occassional usage for personal reasons was okay.

Yes, the policy sounded insane, and most of us were pissed off. Grudgingly, we signed anyway. (Refusal to sign mean no internet access or email, period.)

To my knowledge there have not been any "issues" involving email or internet usage there (save for a problem with some silly Christmas card program that took up huge amounts of space on the server). The more savvy employees got Yahoo accounts for their personal usage. And for the most part, everyone lived happily ever after.

If a problem did arise, at least the agency feels protected by the lengthy disclaimers. Obnoxious or not, they would hold up in court.

How is Paper Mail Handled?

[SEWilco]

When I send a paper letter to you, does your company have people who review every letter which is received or sent?

No, I'm certain the paper mail is simply delivered to your desk. The same way outgoing paper mail is handled, and interoffice paper mail. The mailroom leaves the responsibility with the individuals involved.

If you remember your business letter standards, how you sign your letter is also an indication of whether you are speaking for the company or not. The responsibility with paper mail is with the individuals.

Why change things for electronic mail?

Re:How is Paper Mail Handled?

[rdemanow]

People are much more likely to send or receive "inappropriate" material via email than by post. The two mechanisms require different sets of rules.

The operative word in that statement is People. It is people who send email, and hence it is the person who sent the email who should be held accountable for it's content.

This whole mess with people litigating over every stupid little thing is caused by people refusing to take responsibility for their own actions.

Yes, there are many situations where a person or a company has clearly wronged another, and in those cases the party at fault should be held accountable, in a court of law if neccessary. But most cases that end up in front of a judge are cases of people not wanting to take responsibility for their own (often stupid) actions ... like the lady who sued McDonalds because she spilled her hot coffee in her lap while trying to drink it and drive her car at the same time.

There are better ways to deal with the issue of email and corporate liability than the straightjacket one-size-fits-all legislation and policies which we currently have.

Re:How is Paper Mail Handled?

[Elvis+Maximus]

Email is much more informal than paper mail, and people treat it accordingly. I can't imagine people in my office send or get chain letters, jokes, and photos of varying levels of propriety through the postal service. But the volume of the same kind of stuff they send and get over email is enormous.

People are much more likely to send or receive "inappropriate" material via email than by post. The two mechanisms require different sets of rules.

-

Re:How is Paper Mail Handled?

[crism]

At this job and a previous one, all incoming snailmail is opened by the secretary and stamped as received with today's date before delivery to the addressee. I don't know if they actually read it, but I certainly wouldn't want a Playboy or even a Maxim subscription coming to the office, certainly.

Some imaginary conversations

[alkali]

(FADE IN to MY OFFICE. I'm THE BOSS, lounging in my leather chair behind my expansive desk. A TECH GUY enters, holding a piece of PAPER.)

TG: Erm, Mr. Boss, sir, I have that Internet policy you asked for. (Offers PAPER to BOSS.)

BOSS (inspecting PAPER): It says here that we won't read our employees' e-mail.

TG: Erm, yes, sir.

BOSS: So if I suspect that one of my employees is embezzling, or selling our secret formula for Slashdot Cola to my competitors, or tipping off friends about likely changes in our stock price, I can't look at files on the computer that was bought with the stockholders' money to find out?

TG: Erm, well, sir, I don't want to play Big Brother.

BOSS: Then go work at the Mickey D's drive-through. You're fired.

(MY OFFICE, one week later. TECH GUY #2 enters, holding another PAPER.)

TG2: Erm, Mr. Boss, sir, I have that revised Internet policy you asked for. (Offers PAPER to BOSS.)

BOSS (inspecting PAPER): It says here that we won't read our employees' e-mail unless we reasonably suspect that they're doing some forbidden thing.

TG2: Erm, yes, sir.

BOSS: So if I suspect that one of our employees is embezzling, and I find out that he is embezzling, and I fire him, he can still sue us for breach of contract, alleging that even though he really was embezzling, I didn't have enough information to form a reasonable suspicion that would allow me to look at his e-mail? Which, by the way, is stored on the computer which was bought with the shareholders' money?

TG2: Erm, well, sir, ...

BOSS: Thanks so much. You're fired. Have a great day.

(MY OFFICE, one week later. TECH GUY #3 enters, holding yet another PAPER.)

TG2: Erm, Mr. Boss, sir, I have that second revised Internet policy you asked for. (Offers PAPER to BOSS.)

BOSS (inspecting PAPER): It says here that we can read our employees' e-mail for any reason at any time. Won't our employees think that we're playing Big Brother, and be angry and resentful?

TG3: I'll blather on to them about EEOC guidelines. Besides, all our competitors have the same policy. What choice do our employees have?

BOSS: You'll go far in this company, Jenkins.

Re:Mandatory Encryption

[alkali]

In general, you cannot escape legal responsibility for your agent's bad acts by willfully blinding yourself to them.

Re:Privacy isnt the problem, Politcal Correctness

[alkali]

Not true.

Logging doesn't prevent anything

[scotpurl]

I'm a consultant, and at my current client site, the lawyers have deemed that no email shall live more than 30 days. If it needs to live longer than that (some does, like contracts and product research), then it quite clearly becomes the user who is responsible (and who gets sued), and not the company, for anything that goes wrong from having that old email lying about. There's still ways of copying email outside the system, but POP and IMAP have been disabled on the servers to prevent local copies of email from accumulating.

Keeping logs doesn't really protect you. All logging does is simplify a post-mortem, and provide a method for digging into someone's past and turning a non-event into something nefarious. If the data isn't collected, you can't turn it over to someone. :-)

And the user can still send inappropriate email using any form of encryption such as, oh, any non-English language. Seriously. Are you going to spot check the emails written in French? Hindi? Farsi? Obfuscated Perl? How about keyword filtering in those languages?

About the best you can do is use the same policy you have in place now for phone use. If it gets out of hand, you, or your co-workers will know (or will rat on the guilty). Make Human Resources play the part of bad guy, and have them deal with these personnel issues. Publicize the policy, and have a two infraction limit. First warning, a week without pay. Second warning, you're fired. Zero exceptions (including VP's and CEO's).

Finally, I'm happy to see that you realize it's not that you're going to get 2,000 hours of perfect work out of an employee per year, but that the value of what they do during a year is greater than what you pay them each year.

Some experiences I've had

[RobertGraham]

You can't avoid lawsuits in America; don't pretend there is a magic pill that will solve your problems. As for monitoring e-mail, there are no good standards yet. You cannot monitor all e-mail, but if an employee comes to you with a harassment complaint, you had better be prepared to start monitoring the offender's e-mail.

I've documented similar experiences at: http://www.robertgraham.com/pub s/firewall-pr0n.html

Devil Doll

[elyxer]

I want to kick it!

Yeeeeeeaaaaaaaaaaaaahhhhhh!!!

Re:law

[Adam+Knapp]

I believe "lewd" speech is as much protected as prayer is.
</blockquote>

Depends on what you are praying for really...

In the US anyway, "lewd" speech usually isn't protected. "Offensive" speech is. The Supreme Court has found that there is a difference between yelling "F*ck!" and yelling "F*ck the government!".

Why not get yourself protected as an ISP?

[Adam+Knapp]

I'm no lawyer but AFAIK this idea would work:

Become a "private ISP" of sorts. Charge a nominal, required fee for use of the e-mail system. That way you could use some of the legal prtections ISP's have.

External Use Policy...

[ErichTheRed]

I've worked for a few companies, each with different Internet policies. Here's a sample. Numbers correspond to workplaces in each category

Web:

1. No Web access without full officer approval (a bank.) Every move you made on the web was logged and tracked, plus "undesirable" sites were blocked out.
2. Very little logging, but a proxy server filtered out things like Playboy, Dilbert, etc. (huge insurance company.)
3. Unrestricted web access, very little logging (firewall logs blocked port attempts, etc.) This is in my current gig with a huge worldwide systems company.)

Email:

1. Internal email only...no outside access at all (including blocking of Hotmail, etc.) except in certain, tightly restricted departments such as PR, customer service, etc.
2. Full outside access, but everything was logged and passed through a word/content filter. I've seen many a sneaky sales manager get gently escorted out the door after they found that he was emailing files/kiddie porn/MP3s to his buddies. Very strict policy for if/when you screw up.
3. No email filtering as far as I know.

Now, here's what I have always used to govern my personal Internet use at work:

• Nothing, and I mean nothing, of a personal nature goes through my work e-mail account. My ISP lets me read and send personal mail via the web, so I'm at least not wasting the company's mailqueue space. ;) Besides, if some goof from the outside sends me spam or a "restricted" piece of material, I certainly don't want it coming up to haunt me. Besides, I already get way too much email in my work account. :)
• As for the web, it's the company's nickel you're using to browse. I try to keep personal browsing to a minimum, but most employers I've seen understand that blocking really isn't the answer. The only thing I'm guilty of overusing (other than reading Slashdot) is downloading stuff like patches and service packs for programs (I have 56K at home...try downloading W2K SP1 over that!!) It's just too dam nconvenient to download, burn to CDRW and take home.

Now, if I ran the network (at least the external services end...) I would do the following:

• Email: Most people have an ISP at home, and they can get email through that. If you let users access Hotmail, or send SMTP requests to their ISP, you'll probably cut the mail server traffic by a lot. If you're truly paranoid, append a disclaimer onto the end of the message.
• Web: Trust your employees. Most are there to work. Some are there to download porn. They'll be found out sooner or later. Rather than actively block sites, if you feel you need to restrict access, make users read and sign an IT policy agreement. That's how Company #2 above deals with web abusers. The policy should state what is allowed and what isn't, clearly and specifically. A signed document is your best defense when kiddie-porn-man sues for wrongful termination.

Re:Private moments.

[EEEthan]

Er...your job must really suck.

Re:Mandatory Encryption

[Dan+Kegel]

I think this might be the way companies decide to go. For extra protection, the companies can choose an encryption product that shreds the email after, say, 90 days (and lets them turn off shredding if they get subpoenaed). Only one I know of like that at the moment is the Outlook plugin from www.disappearing.com.

Disclaimer: I helped write their keyserver.

Re:Liabilities

[interiot]

I can't find the link right now, but I also believe that a company has to take appropriate steps to ensure that trade secrets are kept secret, otherwise they can't sue someone for disclosure. This might include the necessity for monitoring email.

This document has a number of good links related to this story.

Liabilities

[interiot]

This is what can happen if you don't monitor your employee's emails. Chevron had to pay $2.2 million to employees because it allowed its internal email system to be used to transmit sexually offensive jokes.

This page lists a few more lawsuits from company liability about email. To limit liability in such cases, they suggest:

• Have an Explicit Written Email Policy
• Have an Explicit written email monitoring policy
• Have a User Education Program

Re:Liabilities

[radja]

no, that's what happens if you live in a state where companies make the law.

Re:Liabilities

[rdemanow]

Chevron had to pay $2.2 million to employees because it allowed its internal email system to be used to transmit sexually offensive jokes.

That's exactly the kind of thing I'm talking about when I say "personal responsibility". Given today's technology, and the technology of the forseeable future, it is practically impossible to keep an employee from sending offensive or illegal material through a corporate email system.

IMNERHO, it is the employee who sent the offensive email who should be held accountable. Company policy should require that the employee in question be fired. Company policy should also require that all employees be well informed that the company policy is termination is such cases.

The law should require that the person responsibile for the offensive email, not the company, be held accountable for it's contents.

Unfortunately, as has been pointed out before, common sense is not law. :(

Re:Private moments.

[slam+smith]

It is the growth of the nanny state. Personal responsibility has become inconvienient. Why worry when the gov't will take care of it for you, of course never mind that in the process you lose your freedom.

Make a policy

[slam+smith]

From what I've read in the media, I think if anything you are not worried enough. I personally would suggest that you write up an email policy for your company, and make it part of the employee handbook. I would include an acceptable use standard that limited what personal email was allowed.(who they could email ie family and how much person email they could send maybe a few a day). I would then add an enforcement policy that basically said that you would do spot checks and investigate complaints, and then say that the punishment could be anything up to termination. I would also come up with an email deletion policy. Basically saying email will be deleted if it is more than x monthes old.

Why this is a bit draconian, it would give you some protection in lawsuits. Basically what you've done for your employees is given them some guidelines. It helps them know what you will allow and won't, most employees will likely appreciate this. If you do develop a policy make sure you enforce it. At my former employer we had a few morons who liked to mail internal confidential documents to trade rags. For their effort they got fired. If you have a clear policy on this stuff it makes it easier for you to protect yourself. Oh btw, I am not a lawyer

Re:Put simply...

[slam+smith]

And it comes out later that they were away from their desk and someone else visited that site from their PC, or someone sets their PC to the victim's IP when the victim's PC is down, or ..

I've seen this happen before. Of course browsers keep logs of accesses including the time. So some security guard who wasn't smart enough to clear the browser cache got fired for looking up porn at 3:30 AM

Re:simple things you can do

[rdemanow]

3) Make policy on personal web-browsing. Make it clear what is not acceptable. And deal with abusers promptly.

I'd make that "deal with ALL abusers promptly.

In far too many companies, middle and upper management are allowed to get away with things that would get the wage slaves on the factory floor on in the cubicle farms fired on the spot.

Such policies only work (and only protect companies from wrongful dismissal suits) when they are enforced equally.

Re:The Death of Common Sense

[rdemanow]

Well said, sir!

Monitoring is not always a good thing

[xerx]

IANAL

You are better off establishing a clear company policy and enforcing it when violated, this is how you protect your company from hostile workplace/sexual harassment suits. While recently reading many company handbooks, most clearly stated that email and web access was for company business only, not private use. Sexual harassment policy was also clearly stated as well.

Monitoring or blocking can actually be a bad thing, because then you may become liable for failure to detect offensive email or to properly block sites. If you are monitoring, an employee could claim that you had knowledge of the conditions but did not take immediate action to correct them as stated by your policy.

Re:Put simply...

[Kintanon]

This just sounds like a defamation lawsuit waiting to happen... IANAL, but anything more than "Bob violated the posted Internet policy" will be challenged by somebody, then the company will need to prove why it released personnel details on a terminated employee

The fact that you visited www.livenudegoatpr0n.com at work is not a personal detail. It's information that the company can release to anyone it bloody well chooses because the entire transaction took place using company equipment and property and on company time. That means that it wasn't a private act, but a public act within the company. So you can't bitch that your company announced that you were fired because you were filling up the companies hard drive with pr0n.

Kintanon

Re:Put simply...

[Kintanon]

And it comes out later that they were away from their desk and someone else visited that site from their PC, or someone sets their PC to the victim's IP when the victim's PC is down, or ...
That is a risk. A possibly expensive risk.



I don't think you understand how corporations work, they aren't going to just notice hits to pr0n and fire the guy and announce it. They are going to notice the hits, set up some more intrusive monitoring on his machine, and find out everything they need to know to be sure it's who they think it is. Then discuss it with them, and continue monitoring. Corporations are VERY cautious because they don't like wrongful termination suites any more than any other kind of lawsuit.

Kintanon

Re:SMTP/POP doesn't work with subdomains.

[Cramer]

Dude, do you even know how SMTP works? The full address of the receiver is sent to the SMTP daemon... "RCPT TO: "

POP and IMAP can trivially deal with this as well by having the user login with a full email address instead of a username, i.e. "user@sub.domain.com" or just "user@sub".

small company big company

[harappa]

It depends on your company size.

Sometimes, in a smaller company with 100 people - it is possible to work closely with the employees to ensure they understand the company standard practices. I have seen cases where in general meetings, the COO has tabled the issue and has asked for a consensus among the employees about how the company as a whole should deal with this issue.

That is not really practical in a larger context. I work in an information services department with more than 4000 people in a largish corporation. For us, here, (and Im not the person who enforces these policies here) there may not be really any other way out rather than blatant denial/interception.

Whatever way you choose - it is wise to use understanding and care when dealing with such violations.

Re:Set policy, set policy, set policy

[Stonehand]

Legally, I'm not sure they can monitor workplace phone (voice, not modem) communications -- ISTR that some law prohibits this, but it's worded in such a way that it doesn't extend to network data communications.

"Open" isn't just for source

[Ears]

It's another one of those prickly problems, I guess, if the law is going to have that little disregard for the idea of "responsibility". But in the end, it sounds like it's going to come down to some kind of monitoring scheme, right?

And maybe I'm hopelessly naive, but it seems like what you need to do is find a way to involve your employees in the process. Tell them what the problem is. Ask what kind of monitoring they'd find acceptable, and what they'd find intrusive. When you figure out what precisely your options are, ask your employees what they think of all of the different possibilities.

And when you figure something out, tell people as EXACTLY as you can what you're doing, and how it works. Tell them what you expect of them; tell them what limits you are going to respect (and then respect them, of course).

I'm sure some people will be a little put out, no matter what you come up with, but given that one can get all kinds of free e-mail accounts and that most have abundant access to the net, some restrictions on what one does at work shouldn't be too onerus.

Re:Put simply...

[rkent]

It's amazing to see the internet usage ramp down for a few weeks!

Man! I can't imagine being so addicted to pr0n that you just have to get into it at work when the company policies so specifically forbid it (and it's NOT hard for your employer to check). Just seems dumb. I mean, I feel bad enough reading slashdot for an hour at a time, but at least that's not (specifically:) against company policy.

Is The Company Liable For Computers It Gave Away?

[GeekLife.com]

Can Ford be sued for creating a hostile workplace if someone sees an offensive porn site on a computer that they provided for their employee (in their employee's home?). Is snooping necessary legally to prevent at home porn browsing on company provided computers?
-----

It's a matter of costs

[werwerf]

I work as a mail admin in a big company in Spain. One of the latest tasks has been to implant a "mail firewalling" policy to avoid harmfull attachments reach the company network (EXE files, Scripts, etc.). They are now considering restrincting more things like big Jpeg attachments and even scan mails in search of potential "threats" (porn, violent content, etc.)
With the current software we are using we could obtain very detailed information about what are employee doing with corporate e-mail, but management knows something for sure: they will go as far as the cost of doing it is inferior to the cost of "improductivity" that e-mail activity produces.
It is just too expensive to chase people around... It is a matter of money!

What about Web/Wireless Mail?

[Monochrome]

On a related idea, what about Webmail or Wireless Email? Here in Canada I am in the employ of a company, but I also use my email address for personal use. This is not the issue. What if I were to access my email account via something like the Wireless Sympatico Service? It's a HDML site that connects me to my POP3 Email box via my cell phone. It's a handy service. But are they liable for the content of the messages that pass through their system? What about Hotmail-like services? are they liable? how do THEY handle these situations?

So aside from the obvious privacy concerns about checking my POP3 email using another service, if I send an email from my cell phone (never touches my standard SMTP server) or access one is the company that provided the service liable?

I don't know.. Maybe it's a stupid question.

Re:What about Web/Wireless Mail?

[kitmarlowe]

Well, we handle it by blocking online email sites and chat gateways out of hand. Not Hotmail, No Yahoo, no mirc.

kitmarlowe

Double-Edged Sword

[Nonesuch]

Most places where I go, I run the proxy server, built it or at least have root on it.

This is a double-edged sword, in that I am effectively exempt from any restrictions placed on web browsing (as I post this at 4PM CST), but I am also to some extent responsible for creating and enforcing those restrictions.

Personally, I reserve my potentially objectionable web activities to my personally owned machine, be that a laptop tunneling to an external proxy, a ssh connection to a box with Lynx, or just waiting until I get home to download MP3s and pr0n.

Re:Mandatory Encryption

[Whatthehellever]

The answer here is simple: PGP EVERYTHING!!!

It's not the employee's fault if the employer's too stupid not to make a policy against sending PGP-encrypted messages.

This is going to be unpopular, but...

[pangur]

You know, this is your company, your capital, and your ass on the line. If some 'smartass' is going to put keywords into his .sig to annoy you, this same 'smartass' could sabotage you in other ways ("He wants me to make another cup of coffee for him, who does he think I am? I'll show him."). If your employees have an issue with their e-mail being read and their web usage tracked. you can remind them of some facts:

1) They can have all the e-mail and web surfing at home that they want. Even for free.

2) You paid for the computers and the internet connection. You get to dictate terms of use. If they want to "represent" the company they need to abide by your rules.

3) If they screw up and get you sued, you can fire them. You, however, can lose your business. Being the one to put your neck and reputation on the line by starting a business means you take more risks and can get more rewards. Don't let someone take that away from you because they wanted to "show you".

Overall, if they are adults, they should realize the responsibility that they have to their place of work. If they want to violate your policy and expose you to risk, then someone else can hire them and take the risk. Or, they can become self-employed. Then they can see what it is like to have themselves exposed to risk.

All my programs have a purpose. This one, for example, takes the contents of RAM and places it in a file called 'core'.

Re:This is going to be unpopular, but...

[rhombic]

I agree completely. People, try to think of it in small terms first:

Would you appreciate it if a roommate hopped on your computer and sent harrasing/threatening e-mails out under your name? Probably not.

Now what if you hire that roommate to write some code for you using your machine. He sends out threatening e-mails using your machine, again under your name, but now he's an employee. It's your computer, does the fact that you've hired him to write code on it give him the right to use it any way he wants?

Now make it a small business with you hiring two coders, you own all the machines, do they have the right to use them as they please? Scale it all up-- at every level, the person/persons/shareholders who OWN the machines have the right to say what gets done with them. If you don't like it get a machine at home and a dial-up account.

Re:This is going to be unpopular, but...

[onion2k]

Simple fact is that my employer has the priviledge of employing me, I don't particularly care if I walk out. If my employer decides that he/she doesn't trust me then there is no reason why I should return any form of loyalty. It is the responsibility of the employee to vote for policies with their feet. If you want a job with personal email and internet access then get one. If an employer wants to monitor your web activity and you don't like it then don't work for them. no point in trying to change a corpoate bg brother policy, it won't happen. Just go somewhere else.

And if you think noone would walk out of a job simply because it isn't enjoyable enough think again.. I'm going to be leaving my current one and going to a different company on exactly the same money entirely for that reason.

Clear *GUIDELINES*

[Andrew+Dvorak]

Depending on the nature of your company, you might not want to strictly monitor such communications -- but be sure to create guidelines that all who are employed by your company can understand without legal council.

If suspicion is strong enough, maybe monitoring communications minimally. Many companies do allow (without acknowledging) some personal activities to slip through the cracks, so long as the employee is doing their job. But I don't know about many professions and how easy it might be to get compulsively sidetracked, but I'll bet many companies that don't deal with consumers often don't always promote the most comfortable work environment in the name of saving money!

Of course i'm wrong, so comment accordingly ;-)

Re:Put simply...

[bort13]

And it comes out later that they were away from their desk and someone else visited that site from their PC

The way I hear it, however, is that users are responsible for their own workstations' security and the integrity of their password, and anyone having access to their workstation would hence fall under their responsibility, too (not too nice if you use Win9x). This is in addition to another respondent's assertion that a company would attempt to find a trail of similar indiscretions. In an era of firewalls/logging, and with the repetitive nature of pr0n-surfing behavior, it's pretty easy to completely track down someone using company equipment for such uses.

Keep in mind, as well, that even with failsafes such as "at-will" employment[1], it can be difficult to fire someone and not worry about an expensive lawsuit. To get HR moving in many cases, you need hard evidence and a trail of it. This mostly handles the IP spoofing situation, but, yes, there might be some situations where repeated PC outages could be used as a smokescreen for this type of behavior. I think we're describing a teeny percentage of the cases, and in most instances, it's the user not paying attention to policy/consequences.

It is tough for me to understand that your average user doesn't get this, however, and that so many still do surf porn sites on company time/equipment. Bandwidth is pretty cheap/available.

1. "at-will" employment is a clause in a company's sign-on contract that states that an employee may leave for any reason, with or without notice, and a company may terminate the employee under the same conditions.

Email guidelines & tips

[bort13]

This is excerpts/paraphrases from a draft I wrote of email guidelines & tips for a company I was working for. It has not been perused by a lawyer so it is by no means necessarily restricted enough for corporate use. I think it was helpful, though.

Email is intended to be an informal correspondence tool to assist in the employee's workday, as well as a vehicle for research and communication with clients and vendors. It is not supplied as a replacement for conventional business communications (i.e. written memos, phone conversations, meetings), but as a supplement and enhancement to them.

Personal use of email should be restricted to the following conditions:

it does not add cost to company operations
it does not interfere with the duties of the employee
it is brief, small and infrequent
it does not in any way compromise company security or profitability

Email should never be considered private, all messages are property of the company.

Unsolicited email or questionable file attachments should be reported immediately. Running executable file attachments is not allowed.

Sending the following types of messages is explicitly forbidden: chain letters and their ilk, virus warnings, messages containing sexual content, messages containing threats or abusive content, "spoofing" (impersonating another user), messages containing confidential company information.

Tips

Email can be misdirected, forwarded to someone else, and replies may go to more people than you realize. Do not put something in an email message that you would not want read by everybody.

Never, ever execute an email attachment and never run a file someone has sent to you. Save the attachment first, open it with the application that it's intended to use.

At this point in time, the most destructive viruses will appear as friendly attachments in messages from reliable sources. Be smart.

Check the file size on that attachment you're sending! Limit distribution of attachments to smaller files, or compress files before sending them. Large attachments (1MB+) may be rejected by outside mail servers.

Email takes up disk space, so delete messages you no longer need. The messaging servers are not file servers, and are not intended to be archives for your mail. Save messages to a local or network drive, or delete messages.

Email can be junk mail in the eye of the recipient. Be conscious of your audience! Be sure that your message concerns them directly. Avoid forwarding messages unnecessarily, and use distribution lists with discretion. Never send to everyone in the address list.

Avoid complicated backgrounds or non-standard fonts. Your recipients may have less powerful workstations or be on a dial-in line. Plain text is encouraged.

There are no nuances in email, no facial expressions or tone of voice, so there is a greater chance of misunderstanding. Here are some tips on bridging the digital gap:

Check that your subject line accurately represents your message.
Be polite, be brief, be funny. (it helps)
Proofread your message quickly before sending to ensure clarity for the recipient. Bad wording can misrepresent you. Don't rely on spellcheck to properly correct your words.
Reply promptly, even if it's a short note telling the sender that you'll detail something later.
Use autoreply if you will be away for long periods.

OT: Re:law

[bort13]

Lewd speech is no more protected by the constitution than yelling "fire" in a crowded place.

One exception: Chicago's Soldier field during a soccer game.

Bizarre Assumptions, Good Advice

[Liza]

As a former plaintiff's lawyer for civil rights cases, I sure wish it was as easy to win millions for the victims of harassment as GMHowell seems to think.

Standard Disclaimer: I am not your lawyer.

The fact is, if you have a business of more employees than you can count on one hand, you should probably have policies regarding personal use of the phone, Internet, and other office resources.

This does NOT mean just write them down and stick 'em in a file cabinet. That's how you get in serious trouble with plaintiff's lawyers. What you SHOULD, do is this:

Tell your employees what kind of behavior you expect of them. Enforce it. Don't tolerate harassment -- sexual or otherwise.

Your employees are not stupid. You can explain that a flirtatious UPS driver, or even going out for drinks with the office after work, are different from employees making frequent sexual comments about other employees, different from turning a blind eye to employees who send sexually explicit URLs around the office or spend time at work surfing those sites, and different from employees who hit on other employees and give them worse work assignments after being rejected.

That last thing -- that's where most employers who get nailed in lawsuits really get nailed. People who end an on-the-job romance (or refuse to have one in the first place) shouldn't have to worry that they're going to get lousy assignments, no more promotions, or lose their job as a result. As an employer, you need to see to it that those things don't happen.

time to change the laws

[MattW]

I sympathize with the question. In terms of laws which regular employers, those pertaining to sexual harassment are some of the worst. I'd tend to suggest an application layer monitor that checks keywords, and completely ignores messages which do not contain them -- carnivore, anyone?

Really, we need an adjustment of the law. The judicial interpretation of the law has led to some amazing rulings regarding sexual harassment. Not only has it wrongly cost many companies money, time, and employees, but it has trivialized the truly evil sexual harassment which still goes on everywhere. It should always be the case that a company has a chance to rectify a situation after the fact. Any large company should have a contact person in HR who can receive a complaint, and companies should not have liability unless they fail to respond to a complaint. Anyone who can file a lawsuit can surely take a complaint to HR first; otherwise, I'd say they are motivated by greed and/or spite, and not just the desire to have a healthy workplace environment.

Of course, it won't come as any surprise to slashdot readers that the country is in love with litigation, but the longer I work, the more I witness incidents where the spectre of litigation protects only the wicked, as it were.

Re:time to change the laws

[OverCode@work]

IANAL, but according to a conversation with a lawyer, companies can avoid liability for sexual harassment if they provide all employees with clear information as to how complaints should be reported. Employees can't just up and sue a company over a trivial incident, unless the company fails to resolve the situation in an expedient manner, or fails to provide a way to file complaints. This lawyer also told me that it's much harder than most people think to successfully sue a company over this. I guess we just hear about the few cases that do go through.

Again, I am not a lawyer, and I may have my facts wrong.

-John

law

[twitter]

There is no law that says you have to snoop on your employees. The author is not recomending any kind of law breaking.

There are laws against rude behavior designed to protect select privaliged minorites: women, negros, homosexuals and to a lesser extent, hispanics. Ignored are unfavored minorities such as Asians. These are the laws that the poster claims are forcing companies to snoop on their employees.

These laws are useless and un American. Oh, I hate rude people but my company is not responsible for this. Lewd speach is not protected, but just try to fire someone for being rude. Good luck.

Re:law

[twitter]

Spelling, ha! Do you follow Webster or Oxford? Is your interpretation of English interpretations of the sounds of dead languages any beter than mine?

Women are a minority in the work force. Despite efforts to put more of them to work, women over the age of 30 in the workforce are an anomoly. No western society has yet to pass Jefferson's criteria of savagry where women are put to the plow.

Lewd speech is no more protected by the constitution than yelling "fire" in a crowded place.

Re:law

[twitter]

In most places it is against the law to pull your dick out. It's called indecent exposure.

There are laws against wrongfull dissmissal and companies have been bit by them.

Yes, I believe that the laws that our snoop avoiding poster worries about were put in place only to protect certian minorites. Shell got burt a while back for having an executive with a mindset that was detrimental to negros. No policy was ever proved, but his tape recorded mutterings on the subject got his company fined millions of dollars. Would Shell have been nailed for a similar atitude about crackers? Koreans? Dumb Blonds? I don't think so. Yes, he lost his job. All of it is simply rude behavior and enforcing maners should not be a government concern. This kind of stuff wastes resources to make lawyers rich.

My mish mosh accuratly reflect the confused state of the law. On one hand the ACLU has fought for the rights of people to publish porn, and do other things that are disgusting and of no public value. In fact, most people think porn is degrading. On the other hand, people have noticed that such things can be offensive. Well, duh. At the University of North Carolina a group of students started an S&M club, claiming that they were a misunderstood minority. They were initially granted space in their union and funding. This was later revoked. Can you tell me the difference between an S&M club and the Homosexual club? The difference is that one pleased the administration and the other did not. Broad principles are not being applied.

Jefferson, in his Notes on the State of Virginia, predicted that excessive imigration would lead to a devided body politic and, ultimatly, confused laws. We have both, and it's obvious that some segments of our population are all in favor of surendering rights that Jefferson held dear.

That the loss of freedom of speech would lead to a loss of privacy is not too suprising. But it's repulsive to see bad laws it used as an argument in favor of bad policy. Email and phone conversations should be given the same protection US mail is.

Re:law

[InsaneGeek]

I never said it was a good or bad law, or that you had to snoop on you employees; but the poster gave as advice to someone wanting to protect themselves from lawsuits to NOT try to protect themselves and change the law, that's the part I have issues with. I wasn't saying to break the law either, but if one of his employee's does by accident, it's still his problem and often a multi-million dollar problem.

You second paragraph is a mish-mosh of ranting. Do you believe those laws were put in place to only protect certain minorities? Do you think there should NOT be a law that says it's wrong to have a boss pull out his d*ck in front of his married secretary and give the option of being fired? I think the extent some of these laws are applied to is a problem, but what the laws were meant to protect by their creators I agree with.

Actually you can fire someone for being rude. There is no law that says I can't fire you for being rude, dressing inappropriately, etc. I can not fire you for the usual race, religion, sexual orientation, etc. but anything else really is fair game.

Re:law

[InsaneGeek]

Yes it should and does, it was added for emphasis to plainly show to everyone my point.

Big Brother doesn't have to watch

[mmmmbeer]

The best compromise I've seen for this situation is to have full access to monitor everything your employees do. Then just don't use it. You aren't really intruding into your employees' privacy, because you aren't watching what they do. But you have everything in place in case you do need to start checking up on them. The important thing is that you explain this to your employees, so they know that a)they shouldn't be doing anything that can get them in trouble, because you could be watching, and b)they shouldn't worry about their privacy because, as long as they behave themselves, you won't be watching.

Re:Big Brother doesn't have to watch

[mmmmbeer]

How much do You trust your Boss?

I'm posting on /. from work. You do the math.

I would say speak with the employees

[Mr+Krinkle]

I am guessing from the sounds of it this is a fairly small company. If not then ignore this and use managers etc. Try and hold a company wide meeting and let them know your concerns. Then maybe tell them in general what you are thinking of and ask them for ideas. At least that way if you do have to resort to big brother they will be aware and won't try and sue you for invasion of privacy or some crap. Too many lawsuits. Oh well Good luck.

e-policy

[purefizz]

There's a book about policies you can implement to protect your company... "e-policy"

http://www.amazon.com/exec/obido s/ASIN/0814479960/

kick some CAD

Re:Totally wrong solution - OT political comment

[JackiePatti]

What if both yo-yos say that? Then vote for the Libertarian candidate; he or she will NOT be saying that.

Strengthen internal communication

[marshall11]

Technology is not going to protect you from lawsuits because technology did not cause the lawsuits. Just because it is easier for employees to keep in contact with people from outside the office throughout the day does not mean that your chances of getting sued increase. When it was fax machines and snail mail, wasn't there also still butt-slapping and memo-boards? The situations in which a sexual harrasment or other company damaging claims could occur weren't able to be stopped by technology back then, and they aren't going to be stopped by technology now.

Some of the solutions were already in your question. (1) Hire dependable, hard-working, trust-worthy people. (2) As your company grows don't let them lose touch with each other or resources for help in case something does happen to them. In other words, get a strong, honest, HR director or department, someone your employees feel is on their side and not the company's. (3) Talk to a good consulting firm that handles HR issues like workplace grievances and see what they recommend (4) and since it will happen someday, get a good team of lawyers.

The solution to the issue of unwanted lawsuits lies not in controlling outside contact, but strengthening contacts inside the office.

Monitoring..sure way to get sued

[Kagato]

In a previous life I was one of the head administrators of a very very large e-mail network for a very very large company. 300+ servers, 60 countries, etc, etc.

E-mail policy was a huge issue for us. The technical team and the legal team looked at it from several sides. First, thing we thought of was the cost of monitoring e-mail and what problems it may cause. The biggest problem was actually monitoring e-mail caused far more issues than not.

It was far more likely that we would be sued for terminating someone over an e-mail rather waiting and responding to a complaint about said e-mail. The biggest factor in this was dealing with low level management. Frankly, the low level is there to watch the clock and fill out reports. The probability that a manager making under 30K a year of correctly handling the situation was quite low as well.

Further more, by opening mail up to be read we risk disclosing information that would break NDA's, and FTC rules. For instance we wouldn't want mail about a merger or sell off to be made public until it was legally correct to do so.

In the end the mail policy was set up so that monitoring of e-mail would only be allowed in the case where a VP level or higher authorized viewing the mail. Any other complaints we be handled via HR channels.

Put simply...

[Dr+Caleb]

They are adults.

At least they should be considered so.

My company has a simple policy - pretty much open internet. Some sites throw up red flags and are blocked (such as playboy.com).

We publish the companies internet usage policy on the intranet home page. No one has the ability to change that home page. They are required to bide by the rules of internet usage.

If they don't, the rules are simple - termination.

And we make a big deal out of it. Terminations are not announced (the rumour mill takes care of that...), but when employees are convicted of having soft/hard/child pron on their machines, a letter of explanation goes out from the company president.

It's amazing to see the internet usage ramp down for a few weeks!

Re:Put simply...

[Frank+T.+Lofaro+Jr.]

And it comes out later that they were away from their desk and someone else visited that site from their PC, or someone sets their PC to the victim's IP when the victim's PC is down, or ...

That is a risk. A possibly expensive risk.

Re:Put simply...

[Suidae]

I know of a guy that worked at a bank, taking customer calls. He worked in a cube-farm, with 4-foot walls. Internet access was prohibited, obviously because you can't have computers with access to the customers account and credit card info on the 'net.

This guy was so board/stupid/desperate that he figured out how to get around the network setup to get himself internet access, then used customer credit cards to sign up for the highly illegal, genuine kiddy porn sites, which he then browsed as he sat at his computer, which his coworkers could see.

What a winner. Yes, the police escorted him away from the building, dunno what happend to him after that.

Absolutely true story.

Re:Put simply...

[Suidae]

Covertly redirect his pron sites to kiddy pron sites and give them those logs :)

Re:Put simply...

[Ian+Wolf]

I have yet to be surprised at the seemingly bottomless pit of human stupidity.

Re:Put simply...

[csmacd]

This just sounds like a defamation lawsuit waiting to happen... IANAL, but anything more than "Bob violated the posted Internet policy" will be challenged by somebody, then the company will need to prove why it released personnel details on a terminated employee...

(OT)OK... forget I said anything.

[yerricde]

Should have read the RFCs first.
<O
( \
XGNOME vs. KDE: the game!

SMTP/POP doesn't work with subdomains.

[yerricde]

ARIN is no longer giving out IPs for individual subdomains, and the mail protocols don't work with name-based virtual hosting. How would this be implemented?
<O
( \
XGNOME vs. KDE: the game!

Missing the Cluetrain.

[jamused]

Whoops. Now there's a suggestion that misses the Cluetrain.

"Thank you for your recent message to customer support. Please be advised that there will be a seven to ten day delay while our legal department reviews our customer support staff's reply. Thank you for your patience while we reduce our legal liability."

Re:Society (ie you and me) needs to change

[blicero]

This litigious culture is largely the result, not of over-zealous individuals, but of a political system unwilling or unable to directly regulate the conduct of corporations. To use one of your examples: the states sued the tobacco companies because, even though smoking causes epidemic-level health problems, Congress was so compromised by Big Tobacco money that the only viable option was to sue.

Social policy today is set in courts, not in congress. If you are unhappy with this, don't just blame people suing. Blame a system of representation that is largely broken, broken by corporate money. Not suing people is not going to help much, but working to change the system of representation, and electing people willing to change it, will.

It's not that hard...

[kitmarlowe]

I am the mail/network admin for a midsized company. We have limited capital, and therefore limited bandwidth (the big pipes cost big money).

Because of this and to protect ourselves from the liability mentioned above, we monitor email in a way that we consider to be reasonably fair. All incoming, outgoing and intercompany emails are scanned for a set list of words and phrases (that was an interesting day, keying in all of the offensives words I knew), in addition to being virus scanned, checked for size, etc.

Incoming mail that throws a lexical violation (contains enough of the words/phrases to red flag it) gets bounced with a polite messge regarding innapropriate business content. Outgoing and intercompany mails which we might be liable for that throw a lexical violation are forwarded directly to the head of HR, who determines if it is necessary to take any action. 9 times out of 10, nothing is done.

Regarding the web, we catch every single URL that gets keyed in. We do restrict and filter content, more to reduce bandwidth usage than any other reason. On the other hand, as the guy who had to search the logs, I can tell you definately there were people surfing porn. I'm not talking about an occasional glance either, I'm talking an hour long porn fest. The software we use allows us to tailor a surfing policy for different groups of users. Data entry personnel who don't need the internet for business use simply don't have access. My company pays for the pipe. They pay for it so the business can grow, no to provide an ISP to employees.

As a final note, I saw someone talking about smartasses who put all of the offensive words in there sig. Yes, it's very cute, and it happened to us several times. I've found that after an extended conversation with both HR and th Manager of Information Security they find better uses for their time.

Conflicting Interests

[Self+Bias+Resistor]

I know there's no easily solution to this whole employee privacy/employer responsibility issue but I think you first have to consider how much time employees are spending on the Internet.

I agree, a five-minute break checking eBay for a limited edition CD or something like that is pretty trivial and employees shouldn't be having a heart attack over it. But if an employee is spending so much time on the 'Net that it's really screwing up their productivity then something has to be done. Although it has to be said that monitoring individual employee keystrokes, keywords and opening their email goes over the line and if that's what's happening at your workplace then do something! Which brings me to my next point.

The most important thing in this entire issue is that employees know where they stand rergarding privacy issues. If an employee doesn't know what the regulations are regarding the privacy of their communications then it just creates an atmosphere of distrust and suspicion and that is when you feel that Big Brother is watching you.

Self Bias Resistor
"Imagination is more important than knowledge." -Albert Einstein

The Death of Common Sense

[Scot+Seese]

Haven't we conclusively proven already that one lawyer can cloud legal judgement, and a committee can completely kill the publicly accepted standard of common sense? You most likely allow your employees to use their break time to telephone a loved one from work; If they are instead using their lunch time to call their ex, whom in this scenario has a restraining order against them, are you laterally responsible for providing the telephone at your workplace?! If an employee puts THEIR stamp on a piece of personal mail, and drops in in the company's outgoing mail chute to save a trip to the post office, are you responsible for it's content? I could only hope that if an employee were using your company email to send or recieve objectionable material, the parties involved in any subsequent legal action would be.. the sender, and the receiver. You are running a company, employing adults, not running a day-care center. If your IS manager came to you and suggested that SOMEONE on the network was sending/receiving an inordinate amount of email, it would warrant a short conversation regarding the limitations of personal usage. What is being discussed here, in abstract, is the problem with the US legal system and society as a whole, that being the Death of Responsibility. It's always someone else's problem, isn't it?

EEOC law != "quotas"

[gonerill]

"I manage a small business and am well aware of how bizarre the EEOC and others can get when it comes to sexual harassment, racial quotas, etc." The EEOC does not and cannot mandate or enforce anything resembling "racial quotas." Like many aspects of American Law, equal employment opportunity laws state a general principle but are (a) very vague about what constitutes compliance, (b) weak on enforcement mechanisms, and (c) usually allow professional organizations (consultants, personnel departments) to determine what compliance means. Throwing around phrases like "racial quotas" is plain wrong and very misleading.

Does your phone store the message before sending?

[rhombic]

There is one gigantic difference between e-mail and phone-- an employee's phone conversation is not temporarily stored on an employer-owned machine prior to being sent. E-mail is. And the incoming e-mail is stored on company machines indefinitly. This changes things quite a bit. It makes e-mail much more similar to business correspondance on letterhead. The phone is a poor analogy for e-mail in a business setting.

Re:This is (going to be) unpopular, but...

[rhombic]

When an employer needs the tool of tabs on internet and phone use to assure their employees are puting in their money's worth of work...

That's usually not the issue. Ordinary productivity goals/yearly reviews are good enough for that. The reason to archive/be able to review e-mail records isn't to make sure the employee is working, it's to make sure the employee isn't using the company hardware to do something illegal for which the fscked up US justice system could break the company.

Although the law is not quite clear most people expect the same protection against reading of their E-mail as there is against the unauthorised opening of ordinary mail, WHY NOT?

Erm, I'm not sure about Holland, but in the US if a letter arrives addressed to me as Me, Agent of My company, My Company's address, it's company mail and while it wouldn't normally be opened, if the company wanted to, it could. It's NOT ordinary mail, it's company correspondance. And any mail I send out on letterhead is company business, and is normally photocopied before being sent.

I don't know for sure, but if you work for the government, all that mail may be subject to Freedom of Information rules that not only let your employer read it, but everyone else who asks.

Modern companies set productivity targets and when people are meeting them it's rather unimportant what else they do!

Well, in the US, modern companies have a reasonable fear of multi-million dollar lawsuits if an employee abuses the company resources. I don't care how productive you are, if you do something to get the company sued into bankruptcy, you're not meeting your productivity target. And it's so trivially simple to prevent these things by keeping personal & public e-mail separate. I don't even make personal phone calls on the company phone any more-- the cell phone is mine, paid for by me, and all my personal calls go through it, unless it's an emergency. It costs a little more, but it sure keeps life simple.

simple things you can do

[rhombic]

There are a few simple things you can do to cover your end and make employees life easier:

1) Have a written internet policy. Work it over carefully. And have every employee who gets a internet-connected computer sign that they've read, understand, and agree to abide by the agreement.

2) Business e-mail is the same thing as letterhead. Employees don't use letterhead for personal correspondance, they shouldn't use business e-mail for personal purposes. Hotmail, yahoo! mail, go mail, there are a hundred free e-mail services out there that work just fine. Simply make policy that the business e-mail is business use only. Period. Help users setup hotmail/yahoo/whatever if they want. Bingo! You have no ethics problems with full logging/reading every e-mail that goes through. There are no personal/privacy issues to deal with. If an employee gets caught using it for personal purposes, there's no reasonable expectation of privacy since you've already stated that it's business only and will be logged.

3) Make policy on personal web-browsing. Make it clear what is not acceptable. And deal with abusers promptly.

4) Sexual harassment: this is only a real problem if something is brought to your attention and you fail to act on it. If the delivery guy is being inappropriate, you ought to be on the horn to the local delivery office immediately if not sooner! As soon as you mention "sexual harassment" and "we're discussing this with legal" the guy will be on notice, and if it happens again, he'll be fired. Guarenteed.

Further Reading

[ATKeiper]

We have an archive of related articles on our Personal Security page, here: http://www.tecsoc.org/persec/pers ec.htm#workplace

- A. Keiper
The Center for the Study of Technology and Society
Washington, D.C.

Re:Weird thought - disallow email.

[Frank+T.+Lofaro+Jr.]

Securities and Exchange Commission (SEC) rules mandate some restrictions on e-mail for brokerage firms.

Re:The real issue

[Frank+T.+Lofaro+Jr.]

It's not always the laws that are at fault, but the courts' interpretation of them.

Then again, a lot of lawyers become judges, so much of what you said holds true in that case also.

suggestions

[aaronhaley]

I feel that you can't be too overprotective or you run the risk of alienating your employees and infringing on their privacy. At my company we have systems in place where we can monitor individuals but it takes a very high order to do so. This way if we get in a situation where there might be a problem we can then monitor individual people. This let's people have their freedom and still protects us as well.

Re:suggestions

[shippo]

Two years ago I started working for a new employer. The Managing Director of the company was really horrible regarding privacy. Let's call him Mr Arsehole.

The main network ran NT 4.0 with Exchange (never got to find out which version), but no external email. It was company policy to have all passwords set to blank, and you were not allowed to change this. This was to allow the boss to read anyone's email outside office hours.

If you needed to send internet email, you had to do it from the ISDN dialup machine next to his desk, during which you were supervised the whole time. The only valid use appeared to be sending software updates to customers.

What really annoyed me, though, was that one collegue had some personal mail sent addressed to work, marked 'Private & Confidential', as he was only living in temporary accomodation. Of course, Mr Arsehole decided to read this private mail.

And working hours didn't begin until Mr Arsehole actually turned up, which on my second day meant I was stood outside the office for 50 minutes.

I stayed there 2 days. I've no idea if they are still in business, but I've not seen much evidence since.

Re:Private moments.

[silicon_synapse]

If I write a threatening letter and drop it in my company's outbound mail box is it really the company's fault?

If it uses the company's letterhead and logo (company domain in e-mail address) then it IS the company's responsibility. The employee is then acting on behalf of the company. If a telemarketer calls your house and cusses you out, do you call the telemarketer at home or do you call the company manager? (assuming you know their names) You (should) call the manager because that telemarketer is representing the company. When you are at work, you ARE the company. Act accordingly.

Apply open-source principles to the problem!

[mcrbids]

Wouldn't it be nice if this were TRUE?

Unfortunately, putting something on the Internet is being legally interpreted as "publishing" - and this applies to e-mail as well. (much e-mail ends up forwarded and put on e-mail list archives, etc)

Do you have a responsibility, as a business owner, to see what you are "publishing"?

Unfortunately, the answer seems to be "yes".

But, people don't resent an "open" solution if they know it's there. Nobody minds a camera posted over their head if it's obvious, especially if they can SEE what's being/has been recorded.

Here's what I would do:

1) Provide company e-mail addresses to those employees that need them.

2) Provide PRIVATE e-mail addresses (hosted at an outside ISP) for personal use. Maybe even include dial-up access as well. (cheap, what, $15 or less in most areas?)

3) Filter in only those messages originating AS an internal user.

4) Make a local web-page that lets everybody inside the business SEE all e-mails that have been sent in a "revolving door" deal. Also allow anybody to view e-mails by user, date, recipient, etc.

Like with software, we're finding more and more that the best policy is the OPEN one...

-Ben

Restrictive Outbound Firewalls

[NevDull]

First, let me say this: If a company expects me to be at work anything above and beyond what is recognized as a standard work week, they can fuck themselves if they don't want me using company resources to rearrange the rest of my life to suit them.

Back to company policies. The company for which I work has RFC1918 addresses for internal systems, NATted out through a firewall which only allows outbound on 80 and 443 for almost all systems.

Being non-stupid, I set up an SSH daemon on port 443 on an outside box and set up tunneling, but that's beside the point.

Point is that my company chose to place restrictions such that using external non-webmail accounts was impossible (well, for the 99% who tend to lack clue). MSIE is set up here by default to use their proxy, and settings on the workstations are locked down.

Were their choices better because they were diligent in limiting use?

Were they worse, because by not allowing SMTP, POP, SSH, telnet, and unproxied FTP, they encouraged the use of company applications and company servers, and not just company connectivity?

Since I can tunnel everything including web traffic (got me a proxy outside) they can't even see anything but one really long connection to a single host which comes up with nothing when they pop it after https://.

Reliability suffers, and my TCP/IP stack on this damned Windows box blows up too often with all the forwards, but have they won, have I, or neither?

Just store it....

[Viper23]

Storing the information without looking at it until a complaint is filed should be perfectly reasonable legal protection. Even if you look at the e-mail your employees are sending out, the mail has left the building before you see it. So, either way the damage is already done. In the same sense, a company wouldn't be expected to bug employees they send out together on business trips to make sure they don't harass each other. They wait for a complaint to be filed.

As far as web browsing, the company really shouldn't care what the employee is looking at as long as it doesn't disrupt their project completion, and no one complains as to the material on their computer screens.

Basically, companies have gotten so worried about the idea that their employees might be cought doing something wrong that they want to catch them before the even do anything. Even the police don't do that. They come in to clean up after the fact.

Private moments.

[Mike+the+Mac+Geek]

Companies should provide two Email addresses. One for internal (business) and one external (personal). Monitor the internal. Make back up logs of the external, but do not open them unless required by a judge to.
Or, by the same lines, stop blocking sites like Hotmail off. If people want to send personal EMail, make them use that, and then it is totally the responsibility of the user.

Re:Disclaimers

[Karmageddon]

Actually, it reminds the employees' friends. The employees never see it.

The real issue

[guibaby]

The real issue is not whether the company is responsible for their employees behavior
The reality is that lawyers go after the companies because, me friends, that is where
the money is. And as everybody knows, Money is what makes the monkey dance.
Dem is the real rules of the game. You might then ask, "gb, Why do the laws agree with this
false assumption of guilt by employment?" Probably because the people who make the most
money off of this kind of crap, THE LAWYERS, are the ones who make the laws.

Re:Disclaimers

[zlite]

They see it on replies when their email is autoquoted back.

Or, if it's made part of their .sig by policy, they do see it in their outgoing email.

Disclaimers

[zlite]

A lot of banks and law firms (who are most vulnerable to liability) automatically append boilerplate disclaimers to the bottom of all outgoing email. Is it irritating? Yup. Does it work? Maybe. But it certainly reminds employees that liability and responsibility are issues that they should keep in mind.

Most importantly, it may be able to save you the ugly mess of an email screen.

Re:Disclaimers

[csmacd]

I think disclaimers are overrated - too much like the "waivers" people are forced to sign for school trips, etc. IANAL, but one that I know well has said (frequently) that a "waiver" can never release a person or group from negligence.

So, while a disclaimer might make the CEO feel better, I wouldn't count on one standing up in court, particularly if the other lawyer is any good.

Alternative Approach

[AndrewD]

This one came about by default, owing to so seriously loopy system design and purchasing decisions. We use Groupwise here in the office, with everyone's permissions set to full. It's useful, because a lot of our business (lawyering) has to be done right now - the fact that someone's out of the office, tied up in a meeting all day or asleep at the switch won't wash with the clients.

The upshot is that everyone can read everyone else's email. The web isn't logged or monitored, but the office is open plan. So everyone can see that I'm posting to /. between drafting contract clauses.

Total openness and good old-fashioned embarrassment mean that nothing untoward goes on.

Whether this system would work in an environment that didn't consist of a majority by weight of lawyers is left as an exercise for the student.

Educate them

[MagicYoshi]

I've always felt that when you give people all the information, they often can be trusted much more.

When I was in college, I was involved with a school program that was being threatened with being shut down because incoming students would complain that they were pressured into drinking. However, there were 400 students involved in the program and there was no way we could police them all. The students in charge of the program appealed to the other students, explained the problem and explained the consequences and we had almost no problems. A couple of years later, it had become a "rule", and it's now a problem again. My point is that when we explained the situation, they wanted to help and were able to.

As far as the UPS person flirting with a receptionist, if you receptionist has some sort of way of getting help or discreetly calling someone into the room, the flirting will not be a problem. I would think any judge would look at that and realize the company had done all it could. But then, IANAL.

Mandatory Encryption

[blameless]

If your employees are forbidden from sending email that is not encrypted, then you can't monitor their email.

There are a ton of other reasons a policy like this makes sense; indemnifying yourself from such lawsuits is just a convenient side effect.

You and everyone else Bub

[ThoreauHD]

What can be done to keep employee privacy, while keeping your company from being sued from a mysterious 3rd party. Outsource your email. Outsource it to havenco.com if you want privacy. As far as web browsing, I don't see how that's any of your business. There is no company liability in web browsing. You cannot stop someone from downloading or uploading anything... no matter what you do. So, it would be common sense that your company is not liable because you provided netscape with your OS. I, personally, had my boss reading through my and my associates email because he felt like it. Under the current laws he can do that. But, guess what. I don't use the company email system now... for anything. And, so, either provide your employees with privacy in browsing and email, or outsource or eliminate both. Either that, or you'll be supporting an impotent and non-functional "network". It's your choice.

I second that theory.

[Nanookanano]

Well said, slam smith.

Is it "watching" when I search my own system?

[Nanookanano]

This "Big Brother" happens to be the owner of both the machinery and the man-hours involved. Is it abuse for the purchaser of these resources to know the process and the end of the investment?

Society (ie you and me) needs to change

[update()]

This is trite, but -- Americans created this insane system of liability and if we're not willing to live with the consequences then we all need to create a better one. Every time smokers sue tobacco companies, skiiers sue the areas whose ropes they ducked, sexual harassment suits are filed against employers who weren't at fault in the slightest, we all pay the bill.

What to do? I would say:

• Serve on juries! Don't try to get out of it. It's part of being a good citizen and your chance to inject fairness and common sense into the judicial system.
• Don't be part of the problem. I bet it's tempting when something bad happens to you to try to turn it into a lottery ticket. But the end result of your windfall is $59 lift tickets for the rest of us.
• Discourage the people around you from filing stupid lawsuits.
• If you're the victim, fight it! Insurance companies are usually happy to settle and pass the tab along to their customers. Make them fight!

---------

Open source to resist?

[crgrace]

I worked at a federal laboratory several years ago and the systems there were under tight security. Every time you logged in a message would come up that what you did could be observed at any time by Lab employees or Federal law enforcement. Pretty freaky. In my group, though, someone wrote a LISP patch for emacs that warned when the sniffers were lurking. Whenever the Lab would be watching what you were doing a message would come up on the emacs message bar saying "Big Brother is Watching". This was right about when the WWW was starting to become popular (we used Mosaic on sunOS!) and I don't think the lab could track web hits yet, so I guess it was checking what directories you were in and what files you were editing to see if your account had been hacked.

It's a very hard problem for the Lab I'm sure, pitting the need for open exchange of ideas between researchers against the need to protect the security of what we were working on.

Anyway, now that there are programs that can monitor web usage, could we write a program that could warn users? Or, are all web hits archived so they don't have to monitor in real-time. If this were the case such a warning would be useless.

Also, is it any suprise companies are reading email, it's as simple as:

root> cat ~"user"/mail/inbox | grep "insert offensive language here"

Set policy, set policy, set policy

[HaeMaker]

If you have a published policy against unlawful acts in email, and enforce the policy in all reported cases you should be ok...

Consider this, did you think you needed to limit phone use or monitor all phone communications? The liability is the same. You are generally not liable for things employees do outside written and enforced policy.

Why shouldn't company email be monitored?

[namespan]

If the company is liable for what goes out under email, then really, they have a good case for having to monitor it.

And if your company is looking at your/their email account, so what? This may have been a bigger deal 6 years ago, when many people's ONLY email account may have been their academic or employer's accounts (that was the case for me, then). However, you've got at least 50 ways to move your mail now, pal. There's enough free email out there to kill mid-sized mamals. Doing personal business at work? Get a free email account.

50 ways to move your mail (couldn't resist...

[namespan]

The problem is all inside your head, he said to me
The answer is easy, if you see it logically
I'd like to help you in your struggly for privacy
there must be
50 ways to move your email

Get Yahoo, stu...
or Hotmail, Gail..
there's freeshell, Del,
Just listen to me
go get Hush, Gus,
we don't need to discuss much
and get PGP, Lee
and set yourself free

(I don't want to slashdot freeshell, but if you look hard enough, you can find them)

Re:Totally wrong solution - OT political comment

[MidnightLog]

they'll think twice about voting for that yo-yo who says he's only trying to "protect the children".

What if both yo-yos say that?

Welcome to the wonders of the two-party system.

Policies and procedures?

[Kierthos]

Okay, for one thing it all depends on what kind of company we are talking about here. Quite obviously, if the company is involved in computer software, you are going to have a much higher percentage of people who really know how to work a computer, as opposed to (as an example) a real estate agency that is on the 'net. You have to consider the capabilities of the average User of your company. If that capability is not very high (i.e. they know how to web surf, write text files and send e-mail) then you will most likely have to take many less precautions then when dealing with a company full of people who write their own apps for fun.

You also have to consider the number of people who will have access. If you only have two web-capable terminals, then it is that much easier to keep a hold of who is doing what on the 'net. For most businesses, it is usually more involved. One option is setting up a firewall to protect your system from spam-mail, as well as limit who has outside access for e-mail purposes. Another option is to dramatically limit what web-pages employees can get to. In 99.9% of the cases, having employees viewing porn sites while at work is defintelu not productive, so a good web filter helps. (Just make sure that it doesn't get rid of Slashdot.)

Finally, it is a good idea to store all e-mails on one of the computers and limit the access to the storage server to a very few people. That way, if you need to, you can see what e-mail they are sending out, but you don't have nearly as many problems with privacy or "expectation of privacy" issues. Be sure to make it publicly known to your employees that this exists. Paranoia will probably keep them from abusing the e-mail system.

Kierthos

Simple. Leave the country.

[deXela]

Some have posted that you should be working on changing the laws. While that's fine, if you operate a business in a country with draconian laws, you might be better off moving your business elsewhere.