Protecting Your Company While Protecting Privacy?

gmhowell asks: "After reading this story on Slashdot, it seems to me that I haven't heard of a good proposal from employees regarding their e-mail/browsing privacy compared to the demands that a company avoid lawsuits. I manage a small business and am well aware of how bizarre the EEOC and others can get when it comes to sexual harassment, racial quotas, etc. For example, if a delivery person flirts with a secretary too much, is it UPS who has created the hostile workplace? Nope. It's my company. Similarly, the company can and will be held liable for any e-mail sent that ends in '@familyhealthcarepa.com'. So we really should be monitoring all e-mail, both internal and external. However, most of our employees are trustworthy, hardworking, and not interested in using our system to create mischief and I really don't want to turn into 'Big Brother'."

"Sure, I'll block a URL here or there but spot checking e-mail? How long until some smartass comes up with a .sig containing all of my keywords?

In general, people are going to be more productive if they take their five minute break at their terminal browsing than screwing around by the coffee machine. Along the same venue, I am not interested in tracking 'abuse' (such as hitting eBay, checking the sports scores, etc.) If someone is using that much time that it interferes with their job, I'll be speaking with them regarding their dereliction of duties in general, and not speaking to them about Internet usage in particular.

So, again, I pose the question: what sort of policy and procedures will protect the privacy of employees' surfing and e-mail, while still protecting my company from liability?"

Re:Private moments.

If it's not work, save it until you get home.

Hey, no problem. Of course, we'll be leaving for home one nanosecond after the clock says we can leave.

Oh, you wanted more than 40 hours per week of work out of us? Then start paying us for it, you greedy skinflints.

Re:Totally wrong solution

[Analog]

Bingo.

The law has determined that you need to be held responsible for the actions of any individual who works for you, which requires draconian privacy invasion in order to protect yourself.

So do it.

However, make sure your employees know why you're doing it. Tell them you have no interest in their activities, but must monitor them in order to avoid very expensive lawsuits. Then give them a list of phone numbers and addresses, and let them know if the liability can be changed, so will your policy. You'd be surprised at how many otherwise disinterested people will take an active role in politics (if only by making sure to vote or writing their congressman every so often) when you bring it home to them how these laws affect them on a day to day basis.

A good way to get them motivated would be to explain that most of these laws are created from the standpoint that employees are pretty much considered to be 'company property', and have no inherent privileges or rights; only those granted by the employer (which is why companies can be held liable for any activities which employees engage in, even sometimes outside business hours).

Do a good job of informing your workforce, and they'll think twice about voting for that yo-yo who says he's only trying to "protect the children".

Re:not draconian at all

[Danse]

Most people don't need email access at work.

Huh? I'd say this depends very heavily on where you work. About 95% of the people in my office have to communicate directly with the clients they're working for. This solution would not work at all.

Lawyer: your HO is wrong

[hawk]

I am a lawyer, but this is not legal advice. if you need legal advice, consult an attorney licensed in y our jurisdiction.

I assume you mean the fifth, but it doesn't matter: it is about governments. It *does not* apply to individuals. It also does not apply in civil cases--your refusal to testify in a civil case *can* be held against you.

hawk,esq.

Suggestions for a Saner Workplace

[jd]

Here are some thoughts on how to make a workplace sane, given the current lawsuit-happy environment and the problems of abuse, vulnerability, etc:

• Have "Safe Rooms". These rooms are officially =outside= the company, have a different IP address and domain name, have a different phone number, and are essentially "safe havens" for which the company can legitamately deny any responsibility.
• Make available to ALL employees copies of:
  • The Verbally Abusive Relationship
  • The Road Less Travelled
  • Healing The Shame That Binds You
  • AA's "Big Book"
  • AA's 12 & 12
  • People of the Lie
• Provide personal alarms to all employees, with the understanding that it's not "being weak" to use it.

(I'm sure there are other excellent books, too, those are just the ones I can think of which help people to figure out where they want to draw their limits, to recognise warning signs, and to work out any issues of their own, without the company needing to get involved.)

IMHO, this is exactly the same fight that mill workers had with mill owners, at the start of the Industrial Revolution, and has exactly the same answer as Robert Owen determined. An educated and sane workforce works better than a hurting and hurt one.

Don't allow personal email

[Malc]

Seeing as everywhere I've worked has clearly stated that they can examine my email, etc because it's on their systems etc... I've stopped using it for personal stuff. With free services like Yahoo that have a web interface, there really is no need to use company services for personal stuff. I don't know if such an approach shifts responsibilty from a company when there is abuse... I'm just more concerned with my own privacy.

Re:Big Brother doesn't have to watch

[Ex-NT-User]

How much do You trust your Boss?

Point being is that a LOT of companies are already using these tools and that majority of them do this with no intent to spy on their employees. But there have been many cases in the news about employees being fired for their "browsing" habits by various companies. Which only means that some companies ARE spying on their employees. And that boils down to how much do you trust your company?

Ex-Nt-User

Re:Apply open-source principles to the problem!

[Effugas]

Unfortunately, putting something on the Internet is being legally interpreted as "publishing" - and this applies to e-mail as well. (much e-mail ends up forwarded and put on e-mail list archives, etc)

That a conversation can be recorded doesn't mean it automatically is.

Do you have a responsibility, as a business owner, to see what you are "publishing"?

Unfortunately, the answer seems to be "yes".

You're beginning to touch upon why business is starting to fight for effective instant messaging.

But, people don't resent an "open" solution if they know it's there. Nobody minds a camera posted over their head if it's obvious, especially if they can SEE what's being/has been recorded.

Your grasp of reality fails here. Several unions have been known for "accidentally" destroying biometric readers because they didn't even want their *fingerprints* recorded, let alone their words, thoughts, and actions.

Look up the wars, incidentally, regarding audio recordings on security videos.

--Dan

Contextualizing Email

[Effugas]

Stop.

This presumption that all emails can and should be logged comes from the presumption that emails are equivalent to official memos from the corporation.

They're not, and shame on anyone who would argue differently.

The fact that harassing comments may be spoken at the water cooler does not obligate the company to install an audio recorder at that cooler. The fact that harassing comments often are spoken over telephone lines assuredly does not obligate a company to record all calls made to and from the office building. The fact that E-Mail can occasionally lead to harassing comments as well does not obligate the company to violate the privacy of its workers.

Now, given an active suspicion(usually brought upon by an aggrieved party commenting to his or her manager), it's justified ethically to verify the charge by watching traffic in a limited manner. We wouldn't want someone to lose their job without their sins being proven.

But to say that employers are mandated by government to spy on everything their workers do obscures the fact that the government itself is mandated a privacy violation infrastructure be built into every single workplace in the name of "protecting us from ourselves."

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:From the Linux Capital Group employee handbook

[Bruce+Perens]

IANAL. Postulate that some employee committs an offensive action and the company is sued. I go to court and prove that I took all reasonable precautions to prevent the employee from carrying out an offensive action. Am I still liable? Maybe. Does my insurance cover it? Probably. Is my insurance company happy? Not entirely, but they have no real complaint since I took all reasonable precautions.

You can't eliminate risk. You thus work to mitigate it as much as possible.

Thanks

Bruce

I really think it's fair.

[Bruce+Perens]

The company should not be forced to be your phone company or your internet provider. If you could only speak through the workplace, it would be different.

Bruce

Re:I really think it's fair.

[DaveHowe]

The company should not be forced to be your phone company or your internet provider. If you could only speak through the workplace, it would be different.
Hmm. I can see this with the internet (while things like online banking make this a borderline decision, as most online banking sites are more convenient than phone banking) I can't agree with the phone - most companies accept that *other* companies don't deal outside of business hours, so employees are likely to need to make the occasional personal call to a bank, utility or doctor that would otherwise need them to travel to the place of business or find a payphone. Some provide a small room with a desk and payphone for "private" calls, but the majority just roll in the small cost of these calls as overheads and ignore them (provided they aren't abused of course).
In fact, a current English law is still pending because in effect, you would require the formal permission of *both* participants in a call not to be committing a crime that carries a jail sentence; they are working on alternative wordings that allow sensible monitoring without allowing anyone but the government a snooper's licence (now that they have one, they are jealous of anyone else getting one)....
--

Not meant that way

[Bruce+Perens]

It's not meant to be a non-compete, but I see your point. The particular situation that came up is that we found a really good deal that essentially nobody knew about, that got worse if more businesses participated. One of the employees wanted to take advantage of the deal for his own business in a way that would sour it for us. So, I asked him not to do that, and he agreed not to. But you are right that it should not read as a conventional employee non-compete, and I will fix that.

Thanks

Bruce

From the Linux Capital Group employee handbook

[Bruce+Perens]

It's OK to use this text under the GNU Documentation License. I plan to put the whole handbook out as free software when I have time.

Bruce

Systems Use and Privacy

In order to facilitate communications and business operations, the Company uses a number of devices, objects and systems. This includes but is not limited to mail, e-mail, telephones, desks, common areas, cabinets, files, computers, networks, passwords, voice mail, etc. Access can be made by the company to any or all of these items or systems at any time. Employees should not assume that contents of messages are confidential and will be only reviewed by the employee.

The Company does not guarantee the security of the Company's systems, computers or telephones. If you need to communicate in a secure fashion, do it outside of Company buildings and without using any Company equipment or facilities. We employ technical experts who are able to read your computer data and tap your phone.

Members of the executive staff, the employee's supervisor, or another employee at the direction of a member of the executive staff, may access, monitor and act on any message or communication or data in any system at any time and may view and consider and act on the contents of any item provided for use in the normal course of company business.

None of this, however, conveys authorization for any employee to eavesdrop. The email, files, and other communications of your co-workers are not your business and you are to avoid situations that would expose you to them unnecessarily. "Snooping" is unethical and you are liable to be terminated if you engage in it.

Our systems are never to be used for pornography, email spam, ethically questionable or unprofessional activities. Internet service is widely available outside of the Company at low cost. Do not consider us to be your "Internet provider": our Internet facilities are only for work. Internet communications that are not part of your job should be carried out using an outside internet provider, a non-Company email address and non-company URLs.

In a nutshell...this means don't be doing nasty or illegal things in the office or on our networks. Respect the fact that your co-workers have access to information on the network and the computers and they would like to be able to respect you in the morning. The Company reserves the right to inspect information and work environment at any time, with or without notice

No Personal Businesses On-Site

It is understandable that many of the Company employees are entrepreneurs and may have one or more companies or separate enterprises, outside of their interest in the Company. It is our desire to nurture and respect the mindset of the entrepreneur. However, under no circumstances shall any employee of the Company run their own company at or through the Company. The use of the Company resources to conduct said business is strictly prohibited. All such enterprises shall be conducted completely off-site and shall not in any way be connected to or interfere with the normal operation of the Company

It is understood and accepted that occasional phone calls will need to be made or taken with regard to personal business. However, there shall be no routine phone calls. There shall be no connections with your personal enterprises and the Company. You are not authorized to use computers, addresses or other Company property, licenses or identification numbers to conduct your personal enterprise. In addition, you shall not use to the advantage of your personal enterprise any business information acquired on the job, at the Company.

Re:From the Linux Capital Group employee handbook

[update()]

OK, but (for the most part) this begs the question. You make this policy clear to everyone - and someone violates it, and someone else sues you. Are you liable?

Buried in all the language about undestanding and respect, is the real answer to the question:

Members of the executive staff, the employee's supervisor, or another employee at the direction of a member of the executive staff, may access, monitor and act on any message or communication or data in any system at any time and may view and consider and act on the contents of any item provided for use in the normal course of company business...The Company reserves the right to inspect information and work environment at any time, with or without notice.

---------

It is my opinion...

[boinger]

If you have to monitor your employees that much, you need new employees.

I don't pretend I don't screw around during the day (for instance...now), but I think I am entitled. I work faster than average. I implement job-lightening scripts and procedures. My ultimate goal is that I implement a system that merely requires me to be somewhere in town if something goes wrong.

So, if I'm endlessly reducing my workload (as part of my job), why wouldn't I have time for personal "stuff".

If, however, I were doing illegal activities, it would be my own issue, and if it became apparent, then I should be terminated.

You need a legal opinion not a tech one

[gelfling]

Even if you monitor what are you monitoring for? Who does this protect? While it may afford the company the excuse that they can go after an employee it does not protect the company from anything per se. Moreover if you have an official policy of monitoring AND ALSO filtering then the company is setting itself up to NEVER send out anything that is in violation of the policy. That is, if you claim you are in compliance then you in fact HAVE TO BE in compliance and you may be exposing the company to even more trouble. In this case the liability is clear regardless of who sends out the offending email. Therefore you again have not actually protected the company from anything unless you the email admin can guarantee the process.

You need to consult an attorney. You may also want to investigate some kind of business insurance to cover litigation and damages that may result.

Re:You need a legal opinion not a tech one

[KahunaBurger]

Moreover if you have an official policy of monitoring AND ALSO filtering then the company is setting itself up to NEVER send out anything that is in violation of the policy. That is, if you claim you are in compliance then you in fact HAVE TO BE in compliance and you may be exposing the company to even more trouble.

Wrong.

Lets say the magic words again, everyone : "good faith effort" Aside from the (IHMO sexist backlash of) hysterical overreaction to sexual harrassment claims, the reality is very different. You as an employer are not held responsible for everything an employee does. But you are responsible if you condone it, if you have policies which make it easier on the harrassers than the harrassed, if you don't take early complaints seriously, etc. If you have a policy, you tell people where they can complain, and you make a good faith effort to follow up, you do not have a problem.

Then again, in the real world (outside of the backlash hysteria) a lot of individuals and companies don't have a problem even when they don't do it right. (begin rant)

Real life example. A lifegaurd for a city pool sued the city because of pervasive sexual harrassment by her supervisor. The city had a sexual harrassment policy and displayed it at city hall, but the employee worked only at the pool and never saw it. When she tried to complain to her supervisors superior they lied/didn't know better and told her that there was nothing that could be done about it. One of the lower courts ruled that even though they had completely failed to do anything useful with it, the city was still protected from the complaint just because of the existance of a formulated policy. (in this case even a bad faith effort is ok, apparently). The case was under appeal when I heard about it, I don't know the final outcome.

Another real world case for those who think a flirting UPS man will lose them their business. large supermarket chain had a store manager accused of sexual harrassment bordering on attempted assualt. Their solution to the problem was to maintain his "rank" but switch him to another location where no one had heard about his past behavior. There he was given enough athority over a small enough crew that he could one night order everyone home but one woman at lockup time and rape her in his office. When she found out about his prior complaints and the way the chain had responded to them, she sued. On her last appeal, the court ruled that the chain had not acted in negligence, and she had no standing for such a claim. They did say that she could file a workers comp claim, because the "injury" arose out of normal work conditions. Wanna guess which state thinks having a known sexual predator arround is just something the company can't be expected to change? Massachusetts, home of the "liberal, activist" court.

Now I keep hearing people rant about these overeacting sexual harrassment claims, but I've never actually heard a authenticated, or even first hand report on one. Out in the real world, it looks like the companies can protect themselves just by having a policy, distributing it and sticking with it, harrassers can protect themselves by being "good enough" that their supervisors turn a blind eye or reassign when too many people complain, and the harrassed can protect themselves.... how? I don't know. make a complaint and hope anything useful happens, then go out and listen to your friends complain about the nuetered corportate culture they're imagining.

Rant over, gotta go to bed.

-Kahuna Burger

CAUTION: NON-COMPETE

[Signal+11]

"In addition, you shall not use to the advantage of your personal enterprise any business information acquired on the job, at the Company."

This could be construed as a non-compete clause. In many states, these are unenforceable. You probably want to amend this to reference "trade secrets" and/or "business practices" instead. You can't tell me that as a web developer if I learn CSS or Javascript on the job I can't use that knowledge elsewhere. The whole point of employment is building your career and aquiring new skills. That statement is contrary to this basic principle of employment, and would be legally unenforceable, if not ethically questionable as well to request.

Now, using the same analogy, if as a web designer a company I worked for designed a new dynamic backend to deliver for, say, news content, and that backend contained alot of new ideas and features not found elsewhere in the industry and where knowledge of that (if aquired by competitors) would cause material harm to the company, then yes.. such knowledge should be protected. However that should be done in a seperate document and made explicitly clear to employees both at the time of employment, and at periodic intervals afterwords (if it is that important, you should take great pains to ensure everyone knows this - due diligence).

Yes, I know you don't mean this to be a legal document, but as a policy document for a company, it could be used in legal preceedings, however IANAL.

Re:CAUTION: NON-COMPETE

[mccrohan]

I think that 'business information' pretty clearly != 'personal skills'. Business information would include things like the trade secrets and business practices you mentioned (upcoming plans for the business and its customers/suppliers, for instances) as well as business contacts - for instances, trading on your position as a representative of the company to get deals for your personal ventures.

Wierd thought - disallow email.

[Christopher+Thomas]

If your company is liable for any email originating from it, then a logical solution is to block outgoing email from most users. Give the company a few official contact people who talk to clients directly, and act as go-betweens for other work-related email.

Non-work-related email can be handled through home accounts, POP3 to an employee's ISP's mail server, web mail, or what-have-you.

This is draconian, but it does virtually eliminate the problem of liability for outgoing email. Internal email management is left as an exercise to the reader.

monitoring may expose you more

[jetson123]

Why again do you think you have to record all E-mail? Are you supposed to listen in on all telephone conversation and bug people's offices as well? Who is going to pay for the effort that that kind of monitoring requires?

I don't think monitoring is feasible. In fact, it may you expose to even more liability because it puts you in the position of being able to discover problems, and the presumption then may be that you knew about a problem but chose to ignore it.

I'd prohibit any personal use of company E-mail (there is no need for it--web-based mailers provide an excellent alternative), have a clear policy on how employees can get help with problems, and indicate to external recipients of E-mail messages (in a header or signature) who they can contact in case of problems with mail they received. But if it really worries you, why not talk to a lawyer?

Explain to employees

[Silver+A]

Explain to your employees what you've said - any mail going out with @mycompany.com exposes the company to liability, etc. Encourage them to keep the company name off personal business. Maybe also as part of your employment contract, make the employee indemnify the company against personal unauthorized actions which expose the company to liability, and explain this in interviews and when the employees start. If you explain to people why you have certain restrictions, and the explanation is reasonable, they're much more likely to comply with them.

Encryption policies?

[swb]

What about policies regarding the use of strong encryption in the office? For example, what if I do my "off limits" business at work in a completely encrypted fashion, but for whatever the reason the light of suspicion falls on me. If I refuse to reveal my key(s) which can then reveal the evidence against me, should the company be able to fire me because of that?

In other words, should there be an organizational policy on encryption? Such as something like:

"Only organizationally issued [and hence escrowed] encryption software and keys may be used to secure communications. All other encryption may be construed as evidence of prohibited behavior." or some other kind of legalese.

To me this seems more draconian, but at the same time if the stated goal is maintaining comapany control over the computers and the data, I can't see how you could allow an encryption free-for-all without causing problems.

Re:not draconian at all

[Sloppy]

What they need is "work" mail as opposed to personal mail. Perhaps this can be fixed by giving them a boring mail address such as sales05@company.com or support@company.com instead of joeschmoe@company.com. That might help keep other parties from thinking that it's appropriate to use that address for chatting about Joe Schmoe's girlfriend's hemmoroids.

---

not draconian at all

[kaisyain]

Most people don't need email access at work. Just like most people don't need access to letterhead or a company credit card.

You'd still be letting them access their personal email from work -- so it's not THAT draconian.

And they can still communicate via email internally.

Re:not draconian at all

[scumdamn]

Where I work, we need to communicate directly with customers and send them files as attachments, etc.
Our company has gone the opposite of what you suggest and disabled communication to/from port 25. So we can recieve home email, but can't send.
Well, that is, most people can't.

A way to verify contents without snooping

[wtpooh]

I have always wondered about the use of email evidence in court - it would be relatively easy for company A to invent nasty email messages from company B, all the way down to A's incoming mail server logs. If company B was not archiving all outgoing mail, it would have no way to prove that those emails were not genuine.

So, what if the B's mail server logs only a checksum/hash of all outgoing mail? Then B would have evidence that could counteract A's account, but would not need to be intrusive or store huge amounts of email forever. While having each user PGP sign their documents would serve the same purpose (and be more reliable, since it would provide definite proof of a forgery), this system would be much easier to implement on a companywide basis.

Log Email

[weston]

Keep a copy of all email sent, but make it clear that company policy is not to search it unless there's a complaint of abuse. Hopefully, the consequence would be that the employee realizes there's a record kept of everything they send, and that will make them more responsible.

I know this sounds a little bit like those stupid voluntary privacy policies that people like doubleClick have. But you're not them. You're a small business concerned about balancing privacy with responsibility. You might be able to handle it.

Also, I really think that with the number of ways that someone can send and receive email today on the net, use of a company account for personal business is really not a must.

Having cake, eating too.

[lythander]

Being in a similar situation, I have also pondered this koan, and believe it truly unsolvable. You want to to only monitor true abuses, not minor nit-picky transgressions, and respect privacy as much as possible.

Can't be done.

You need must monitor every email is you're to catch those creating true liability. You must log every page view if you're to catch the porn surfers. If you sample these things, those you catch can accuse you of singling them out. If you smple, you might miss some doosies. And as the filter companies have shown us, these sampling and filtering methods do not work (yet?).

Perhaps what you need is a modest plan involving user education, a written policy protecting user privacy and agreeing to full disclosure when it must be violated in the course of some investigation, and enough documentation to demonstrate due vigilance wrt these issues in case a suit arises.

In the end, those who want to bad enough will screw everything useful up for everyone. The trick isn't on preventing it so much as being able to prove that you made every reasonable attempt to prevent it.

Totally wrong solution

[FascDot+Killed+My+Pr]

Why are you looking for a good way to comply with a bad law? The problem is the law--fix it! Yeah, yeah, "I can't afford court fees", etc, etc, etc. Write your congress-critters (federal and state), talk to city/county councils, get your voice out there! These things can be fixed without resort to courts and expensive lawyer fees.

Better yet, pay attention to current bills being considered. An ounce of prevention....
--

How is Paper Mail Handled?

[SEWilco]

When I send a paper letter to you, does your company have people who review every letter which is received or sent?

No, I'm certain the paper mail is simply delivered to your desk. The same way outgoing paper mail is handled, and interoffice paper mail. The mailroom leaves the responsibility with the individuals involved.

If you remember your business letter standards, how you sign your letter is also an indication of whether you are speaking for the company or not. The responsibility with paper mail is with the individuals.

Why change things for electronic mail?

Re:How is Paper Mail Handled?

[Elvis+Maximus]

Email is much more informal than paper mail, and people treat it accordingly. I can't imagine people in my office send or get chain letters, jokes, and photos of varying levels of propriety through the postal service. But the volume of the same kind of stuff they send and get over email is enormous.

People are much more likely to send or receive "inappropriate" material via email than by post. The two mechanisms require different sets of rules.

-

Logging doesn't prevent anything

[scotpurl]

I'm a consultant, and at my current client site, the lawyers have deemed that no email shall live more than 30 days. If it needs to live longer than that (some does, like contracts and product research), then it quite clearly becomes the user who is responsible (and who gets sued), and not the company, for anything that goes wrong from having that old email lying about. There's still ways of copying email outside the system, but POP and IMAP have been disabled on the servers to prevent local copies of email from accumulating.

Keeping logs doesn't really protect you. All logging does is simplify a post-mortem, and provide a method for digging into someone's past and turning a non-event into something nefarious. If the data isn't collected, you can't turn it over to someone. :-)

And the user can still send inappropriate email using any form of encryption such as, oh, any non-English language. Seriously. Are you going to spot check the emails written in French? Hindi? Farsi? Obfuscated Perl? How about keyword filtering in those languages?

About the best you can do is use the same policy you have in place now for phone use. If it gets out of hand, you, or your co-workers will know (or will rat on the guilty). Make Human Resources play the part of bad guy, and have them deal with these personnel issues. Publicize the policy, and have a two infraction limit. First warning, a week without pay. Second warning, you're fired. Zero exceptions (including VP's and CEO's).

Finally, I'm happy to see that you realize it's not that you're going to get 2,000 hours of perfect work out of an employee per year, but that the value of what they do during a year is greater than what you pay them each year.

Some experiences I've had

[RobertGraham]

You can't avoid lawsuits in America; don't pretend there is a magic pill that will solve your problems. As for monitoring e-mail, there are no good standards yet. You cannot monitor all e-mail, but if an employee comes to you with a harassment complaint, you had better be prepared to start monitoring the offender's e-mail.

I've documented similar experiences at: http://www.robertgraham.com/pub s/firewall-pr0n.html

Why not get yourself protected as an ISP?

[Adam+Knapp]

I'm no lawyer but AFAIK this idea would work:

Become a "private ISP" of sorts. Charge a nominal, required fee for use of the e-mail system. That way you could use some of the legal prtections ISP's have.

External Use Policy...

[ErichTheRed]

I've worked for a few companies, each with different Internet policies. Here's a sample. Numbers correspond to workplaces in each category

Web:

1. No Web access without full officer approval (a bank.) Every move you made on the web was logged and tracked, plus "undesirable" sites were blocked out.
2. Very little logging, but a proxy server filtered out things like Playboy, Dilbert, etc. (huge insurance company.)
3. Unrestricted web access, very little logging (firewall logs blocked port attempts, etc.) This is in my current gig with a huge worldwide systems company.)

Email:

1. Internal email only...no outside access at all (including blocking of Hotmail, etc.) except in certain, tightly restricted departments such as PR, customer service, etc.
2. Full outside access, but everything was logged and passed through a word/content filter. I've seen many a sneaky sales manager get gently escorted out the door after they found that he was emailing files/kiddie porn/MP3s to his buddies. Very strict policy for if/when you screw up.
3. No email filtering as far as I know.

Now, here's what I have always used to govern my personal Internet use at work:

• Nothing, and I mean nothing, of a personal nature goes through my work e-mail account. My ISP lets me read and send personal mail via the web, so I'm at least not wasting the company's mailqueue space. ;) Besides, if some goof from the outside sends me spam or a "restricted" piece of material, I certainly don't want it coming up to haunt me. Besides, I already get way too much email in my work account. :)
• As for the web, it's the company's nickel you're using to browse. I try to keep personal browsing to a minimum, but most employers I've seen understand that blocking really isn't the answer. The only thing I'm guilty of overusing (other than reading Slashdot) is downloading stuff like patches and service packs for programs (I have 56K at home...try downloading W2K SP1 over that!!) It's just too dam nconvenient to download, burn to CDRW and take home.

Now, if I ran the network (at least the external services end...) I would do the following:

• Email: Most people have an ISP at home, and they can get email through that. If you let users access Hotmail, or send SMTP requests to their ISP, you'll probably cut the mail server traffic by a lot. If you're truly paranoid, append a disclaimer onto the end of the message.
• Web: Trust your employees. Most are there to work. Some are there to download porn. They'll be found out sooner or later. Rather than actively block sites, if you feel you need to restrict access, make users read and sign an IT policy agreement. That's how Company #2 above deals with web abusers. The policy should state what is allowed and what isn't, clearly and specifically. A signed document is your best defense when kiddie-porn-man sues for wrongful termination.

Re:Liabilities

[interiot]

I can't find the link right now, but I also believe that a company has to take appropriate steps to ensure that trade secrets are kept secret, otherwise they can't sue someone for disclosure. This might include the necessity for monitoring email.

This document has a number of good links related to this story.

Liabilities

[interiot]

This is what can happen if you don't monitor your employee's emails. Chevron had to pay $2.2 million to employees because it allowed its internal email system to be used to transmit sexually offensive jokes.

This page lists a few more lawsuits from company liability about email. To limit liability in such cases, they suggest:

• Have an Explicit Written Email Policy
• Have an Explicit written email monitoring policy
• Have a User Education Program

Re:Put simply...

[Kintanon]

This just sounds like a defamation lawsuit waiting to happen... IANAL, but anything more than "Bob violated the posted Internet policy" will be challenged by somebody, then the company will need to prove why it released personnel details on a terminated employee

The fact that you visited www.livenudegoatpr0n.com at work is not a personal detail. It's information that the company can release to anyone it bloody well chooses because the entire transaction took place using company equipment and property and on company time. That means that it wasn't a private act, but a public act within the company. So you can't bitch that your company announced that you were fired because you were filling up the companies hard drive with pr0n.

Kintanon

Re:Put simply...

[Kintanon]

And it comes out later that they were away from their desk and someone else visited that site from their PC, or someone sets their PC to the victim's IP when the victim's PC is down, or ...
That is a risk. A possibly expensive risk.



I don't think you understand how corporations work, they aren't going to just notice hits to pr0n and fire the guy and announce it. They are going to notice the hits, set up some more intrusive monitoring on his machine, and find out everything they need to know to be sure it's who they think it is. Then discuss it with them, and continue monitoring. Corporations are VERY cautious because they don't like wrongful termination suites any more than any other kind of lawsuit.

Kintanon

small company big company

[harappa]

It depends on your company size.

Sometimes, in a smaller company with 100 people - it is possible to work closely with the employees to ensure they understand the company standard practices. I have seen cases where in general meetings, the COO has tabled the issue and has asked for a consensus among the employees about how the company as a whole should deal with this issue.

That is not really practical in a larger context. I work in an information services department with more than 4000 people in a largish corporation. For us, here, (and Im not the person who enforces these policies here) there may not be really any other way out rather than blatant denial/interception.

Whatever way you choose - it is wise to use understanding and care when dealing with such violations.

Re:Put simply...

[rkent]

It's amazing to see the internet usage ramp down for a few weeks!

Man! I can't imagine being so addicted to pr0n that you just have to get into it at work when the company policies so specifically forbid it (and it's NOT hard for your employer to check). Just seems dumb. I mean, I feel bad enough reading slashdot for an hour at a time, but at least that's not (specifically:) against company policy.

Is The Company Liable For Computers It Gave Away?

[GeekLife.com]

Can Ford be sued for creating a hostile workplace if someone sees an offensive porn site on a computer that they provided for their employee (in their employee's home?). Is snooping necessary legally to prevent at home porn browsing on company provided computers?
-----

This is going to be unpopular, but...

[pangur]

You know, this is your company, your capital, and your ass on the line. If some 'smartass' is going to put keywords into his .sig to annoy you, this same 'smartass' could sabotage you in other ways ("He wants me to make another cup of coffee for him, who does he think I am? I'll show him."). If your employees have an issue with their e-mail being read and their web usage tracked. you can remind them of some facts:

1) They can have all the e-mail and web surfing at home that they want. Even for free.

2) You paid for the computers and the internet connection. You get to dictate terms of use. If they want to "represent" the company they need to abide by your rules.

3) If they screw up and get you sued, you can fire them. You, however, can lose your business. Being the one to put your neck and reputation on the line by starting a business means you take more risks and can get more rewards. Don't let someone take that away from you because they wanted to "show you".

Overall, if they are adults, they should realize the responsibility that they have to their place of work. If they want to violate your policy and expose you to risk, then someone else can hire them and take the risk. Or, they can become self-employed. Then they can see what it is like to have themselves exposed to risk.

All my programs have a purpose. This one, for example, takes the contents of RAM and places it in a file called 'core'.

Re:This is going to be unpopular, but...

[rhombic]

I agree completely. People, try to think of it in small terms first:

Would you appreciate it if a roommate hopped on your computer and sent harrasing/threatening e-mails out under your name? Probably not.

Now what if you hire that roommate to write some code for you using your machine. He sends out threatening e-mails using your machine, again under your name, but now he's an employee. It's your computer, does the fact that you've hired him to write code on it give him the right to use it any way he wants?

Now make it a small business with you hiring two coders, you own all the machines, do they have the right to use them as they please? Scale it all up-- at every level, the person/persons/shareholders who OWN the machines have the right to say what gets done with them. If you don't like it get a machine at home and a dial-up account.

Clear *GUIDELINES*

[Andrew+Dvorak]

Depending on the nature of your company, you might not want to strictly monitor such communications -- but be sure to create guidelines that all who are employed by your company can understand without legal council.

If suspicion is strong enough, maybe monitoring communications minimally. Many companies do allow (without acknowledging) some personal activities to slip through the cracks, so long as the employee is doing their job. But I don't know about many professions and how easy it might be to get compulsively sidetracked, but I'll bet many companies that don't deal with consumers often don't always promote the most comfortable work environment in the name of saving money!

Of course i'm wrong, so comment accordingly ;-)

Bizarre Assumptions, Good Advice

[Liza]

As a former plaintiff's lawyer for civil rights cases, I sure wish it was as easy to win millions for the victims of harassment as GMHowell seems to think.

Standard Disclaimer: I am not your lawyer.

The fact is, if you have a business of more employees than you can count on one hand, you should probably have policies regarding personal use of the phone, Internet, and other office resources.

This does NOT mean just write them down and stick 'em in a file cabinet. That's how you get in serious trouble with plaintiff's lawyers. What you SHOULD, do is this:

Tell your employees what kind of behavior you expect of them. Enforce it. Don't tolerate harassment -- sexual or otherwise.

Your employees are not stupid. You can explain that a flirtatious UPS driver, or even going out for drinks with the office after work, are different from employees making frequent sexual comments about other employees, different from turning a blind eye to employees who send sexually explicit URLs around the office or spend time at work surfing those sites, and different from employees who hit on other employees and give them worse work assignments after being rejected.

That last thing -- that's where most employers who get nailed in lawsuits really get nailed. People who end an on-the-job romance (or refuse to have one in the first place) shouldn't have to worry that they're going to get lousy assignments, no more promotions, or lose their job as a result. As an employer, you need to see to it that those things don't happen.

time to change the laws

[MattW]

I sympathize with the question. In terms of laws which regular employers, those pertaining to sexual harassment are some of the worst. I'd tend to suggest an application layer monitor that checks keywords, and completely ignores messages which do not contain them -- carnivore, anyone?

Really, we need an adjustment of the law. The judicial interpretation of the law has led to some amazing rulings regarding sexual harassment. Not only has it wrongly cost many companies money, time, and employees, but it has trivialized the truly evil sexual harassment which still goes on everywhere. It should always be the case that a company has a chance to rectify a situation after the fact. Any large company should have a contact person in HR who can receive a complaint, and companies should not have liability unless they fail to respond to a complaint. Anyone who can file a lawsuit can surely take a complaint to HR first; otherwise, I'd say they are motivated by greed and/or spite, and not just the desire to have a healthy workplace environment.

Of course, it won't come as any surprise to slashdot readers that the country is in love with litigation, but the longer I work, the more I witness incidents where the spectre of litigation protects only the wicked, as it were.

e-policy

[purefizz]

There's a book about policies you can implement to protect your company... "e-policy"

http://www.amazon.com/exec/obido s/ASIN/0814479960/

kick some CAD

Strengthen internal communication

[marshall11]

Technology is not going to protect you from lawsuits because technology did not cause the lawsuits. Just because it is easier for employees to keep in contact with people from outside the office throughout the day does not mean that your chances of getting sued increase. When it was fax machines and snail mail, wasn't there also still butt-slapping and memo-boards? The situations in which a sexual harrasment or other company damaging claims could occur weren't able to be stopped by technology back then, and they aren't going to be stopped by technology now.

Some of the solutions were already in your question. (1) Hire dependable, hard-working, trust-worthy people. (2) As your company grows don't let them lose touch with each other or resources for help in case something does happen to them. In other words, get a strong, honest, HR director or department, someone your employees feel is on their side and not the company's. (3) Talk to a good consulting firm that handles HR issues like workplace grievances and see what they recommend (4) and since it will happen someday, get a good team of lawyers.

The solution to the issue of unwanted lawsuits lies not in controlling outside contact, but strengthening contacts inside the office.

Monitoring..sure way to get sued

[Kagato]

In a previous life I was one of the head administrators of a very very large e-mail network for a very very large company. 300+ servers, 60 countries, etc, etc.

E-mail policy was a huge issue for us. The technical team and the legal team looked at it from several sides. First, thing we thought of was the cost of monitoring e-mail and what problems it may cause. The biggest problem was actually monitoring e-mail caused far more issues than not.

It was far more likely that we would be sued for terminating someone over an e-mail rather waiting and responding to a complaint about said e-mail. The biggest factor in this was dealing with low level management. Frankly, the low level is there to watch the clock and fill out reports. The probability that a manager making under 30K a year of correctly handling the situation was quite low as well.

Further more, by opening mail up to be read we risk disclosing information that would break NDA's, and FTC rules. For instance we wouldn't want mail about a merger or sell off to be made public until it was legally correct to do so.

In the end the mail policy was set up so that monitoring of e-mail would only be allowed in the case where a VP level or higher authorized viewing the mail. Any other complaints we be handled via HR channels.

Put simply...

[Dr+Caleb]

They are adults.

At least they should be considered so.

My company has a simple policy - pretty much open internet. Some sites throw up red flags and are blocked (such as playboy.com).

We publish the companies internet usage policy on the intranet home page. No one has the ability to change that home page. They are required to bide by the rules of internet usage.

If they don't, the rules are simple - termination.

And we make a big deal out of it. Terminations are not announced (the rumour mill takes care of that...), but when employees are convicted of having soft/hard/child pron on their machines, a letter of explanation goes out from the company president.

It's amazing to see the internet usage ramp down for a few weeks!

SMTP/POP doesn't work with subdomains.

[yerricde]

ARIN is no longer giving out IPs for individual subdomains, and the mail protocols don't work with name-based virtual hosting. How would this be implemented?
<O
( \
XGNOME vs. KDE: the game!

It's not that hard...

[kitmarlowe]

I am the mail/network admin for a midsized company. We have limited capital, and therefore limited bandwidth (the big pipes cost big money).

Because of this and to protect ourselves from the liability mentioned above, we monitor email in a way that we consider to be reasonably fair. All incoming, outgoing and intercompany emails are scanned for a set list of words and phrases (that was an interesting day, keying in all of the offensives words I knew), in addition to being virus scanned, checked for size, etc.

Incoming mail that throws a lexical violation (contains enough of the words/phrases to red flag it) gets bounced with a polite messge regarding innapropriate business content. Outgoing and intercompany mails which we might be liable for that throw a lexical violation are forwarded directly to the head of HR, who determines if it is necessary to take any action. 9 times out of 10, nothing is done.

Regarding the web, we catch every single URL that gets keyed in. We do restrict and filter content, more to reduce bandwidth usage than any other reason. On the other hand, as the guy who had to search the logs, I can tell you definately there were people surfing porn. I'm not talking about an occasional glance either, I'm talking an hour long porn fest. The software we use allows us to tailor a surfing policy for different groups of users. Data entry personnel who don't need the internet for business use simply don't have access. My company pays for the pipe. They pay for it so the business can grow, no to provide an ISP to employees.

As a final note, I saw someone talking about smartasses who put all of the offensive words in there sig. Yes, it's very cute, and it happened to us several times. I've found that after an extended conversation with both HR and th Manager of Information Security they find better uses for their time.

The Death of Common Sense

[Scot+Seese]

Haven't we conclusively proven already that one lawyer can cloud legal judgement, and a committee can completely kill the publicly accepted standard of common sense? You most likely allow your employees to use their break time to telephone a loved one from work; If they are instead using their lunch time to call their ex, whom in this scenario has a restraining order against them, are you laterally responsible for providing the telephone at your workplace?! If an employee puts THEIR stamp on a piece of personal mail, and drops in in the company's outgoing mail chute to save a trip to the post office, are you responsible for it's content? I could only hope that if an employee were using your company email to send or recieve objectionable material, the parties involved in any subsequent legal action would be.. the sender, and the receiver. You are running a company, employing adults, not running a day-care center. If your IS manager came to you and suggested that SOMEONE on the network was sending/receiving an inordinate amount of email, it would warrant a short conversation regarding the limitations of personal usage. What is being discussed here, in abstract, is the problem with the US legal system and society as a whole, that being the Death of Responsibility. It's always someone else's problem, isn't it?

EEOC law != "quotas"

[gonerill]

"I manage a small business and am well aware of how bizarre the EEOC and others can get when it comes to sexual harassment, racial quotas, etc." The EEOC does not and cannot mandate or enforce anything resembling "racial quotas." Like many aspects of American Law, equal employment opportunity laws state a general principle but are (a) very vague about what constitutes compliance, (b) weak on enforcement mechanisms, and (c) usually allow professional organizations (consultants, personnel departments) to determine what compliance means. Throwing around phrases like "racial quotas" is plain wrong and very misleading.

simple things you can do

[rhombic]

There are a few simple things you can do to cover your end and make employees life easier:

1) Have a written internet policy. Work it over carefully. And have every employee who gets a internet-connected computer sign that they've read, understand, and agree to abide by the agreement.

2) Business e-mail is the same thing as letterhead. Employees don't use letterhead for personal correspondance, they shouldn't use business e-mail for personal purposes. Hotmail, yahoo! mail, go mail, there are a hundred free e-mail services out there that work just fine. Simply make policy that the business e-mail is business use only. Period. Help users setup hotmail/yahoo/whatever if they want. Bingo! You have no ethics problems with full logging/reading every e-mail that goes through. There are no personal/privacy issues to deal with. If an employee gets caught using it for personal purposes, there's no reasonable expectation of privacy since you've already stated that it's business only and will be logged.

3) Make policy on personal web-browsing. Make it clear what is not acceptable. And deal with abusers promptly.

4) Sexual harassment: this is only a real problem if something is brought to your attention and you fail to act on it. If the delivery guy is being inappropriate, you ought to be on the horn to the local delivery office immediately if not sooner! As soon as you mention "sexual harassment" and "we're discussing this with legal" the guy will be on notice, and if it happens again, he'll be fired. Guarenteed.

Further Reading

[ATKeiper]

We have an archive of related articles on our Personal Security page, here: http://www.tecsoc.org/persec/pers ec.htm#workplace

- A. Keiper
The Center for the Study of Technology and Society
Washington, D.C.

Restrictive Outbound Firewalls

[NevDull]

First, let me say this: If a company expects me to be at work anything above and beyond what is recognized as a standard work week, they can fuck themselves if they don't want me using company resources to rearrange the rest of my life to suit them.

Back to company policies. The company for which I work has RFC1918 addresses for internal systems, NATted out through a firewall which only allows outbound on 80 and 443 for almost all systems.

Being non-stupid, I set up an SSH daemon on port 443 on an outside box and set up tunneling, but that's beside the point.

Point is that my company chose to place restrictions such that using external non-webmail accounts was impossible (well, for the 99% who tend to lack clue). MSIE is set up here by default to use their proxy, and settings on the workstations are locked down.

Were their choices better because they were diligent in limiting use?

Were they worse, because by not allowing SMTP, POP, SSH, telnet, and unproxied FTP, they encouraged the use of company applications and company servers, and not just company connectivity?

Since I can tunnel everything including web traffic (got me a proxy outside) they can't even see anything but one really long connection to a single host which comes up with nothing when they pop it after https://.

Reliability suffers, and my TCP/IP stack on this damned Windows box blows up too often with all the forwards, but have they won, have I, or neither?

Disclaimers

[zlite]

A lot of banks and law firms (who are most vulnerable to liability) automatically append boilerplate disclaimers to the bottom of all outgoing email. Is it irritating? Yup. Does it work? Maybe. But it certainly reminds employees that liability and responsibility are issues that they should keep in mind.

Most importantly, it may be able to save you the ugly mess of an email screen.

Alternative Approach

[AndrewD]

This one came about by default, owing to so seriously loopy system design and purchasing decisions. We use Groupwise here in the office, with everyone's permissions set to full. It's useful, because a lot of our business (lawyering) has to be done right now - the fact that someone's out of the office, tied up in a meeting all day or asleep at the switch won't wash with the clients.

The upshot is that everyone can read everyone else's email. The web isn't logged or monitored, but the office is open plan. So everyone can see that I'm posting to /. between drafting contract clauses.

Total openness and good old-fashioned embarrassment mean that nothing untoward goes on.

Whether this system would work in an environment that didn't consist of a majority by weight of lawyers is left as an exercise for the student.

Educate them

[MagicYoshi]

I've always felt that when you give people all the information, they often can be trusted much more.

When I was in college, I was involved with a school program that was being threatened with being shut down because incoming students would complain that they were pressured into drinking. However, there were 400 students involved in the program and there was no way we could police them all. The students in charge of the program appealed to the other students, explained the problem and explained the consequences and we had almost no problems. A couple of years later, it had become a "rule", and it's now a problem again. My point is that when we explained the situation, they wanted to help and were able to.

As far as the UPS person flirting with a receptionist, if you receptionist has some sort of way of getting help or discreetly calling someone into the room, the flirting will not be a problem. I would think any judge would look at that and realize the company had done all it could. But then, IANAL.

Mandatory Encryption

[blameless]

If your employees are forbidden from sending email that is not encrypted, then you can't monitor their email.

There are a ton of other reasons a policy like this makes sense; indemnifying yourself from such lawsuits is just a convenient side effect.

Society (ie you and me) needs to change

[update()]

This is trite, but -- Americans created this insane system of liability and if we're not willing to live with the consequences then we all need to create a better one. Every time smokers sue tobacco companies, skiiers sue the areas whose ropes they ducked, sexual harassment suits are filed against employers who weren't at fault in the slightest, we all pay the bill.

What to do? I would say:

• Serve on juries! Don't try to get out of it. It's part of being a good citizen and your chance to inject fairness and common sense into the judicial system.
• Don't be part of the problem. I bet it's tempting when something bad happens to you to try to turn it into a lottery ticket. But the end result of your windfall is $59 lift tickets for the rest of us.
• Discourage the people around you from filing stupid lawsuits.
• If you're the victim, fight it! Insurance companies are usually happy to settle and pass the tab along to their customers. Make them fight!

---------

Open source to resist?

[crgrace]

I worked at a federal laboratory several years ago and the systems there were under tight security. Every time you logged in a message would come up that what you did could be observed at any time by Lab employees or Federal law enforcement. Pretty freaky. In my group, though, someone wrote a LISP patch for emacs that warned when the sniffers were lurking. Whenever the Lab would be watching what you were doing a message would come up on the emacs message bar saying "Big Brother is Watching". This was right about when the WWW was starting to become popular (we used Mosaic on sunOS!) and I don't think the lab could track web hits yet, so I guess it was checking what directories you were in and what files you were editing to see if your account had been hacked.

It's a very hard problem for the Lab I'm sure, pitting the need for open exchange of ideas between researchers against the need to protect the security of what we were working on.

Anyway, now that there are programs that can monitor web usage, could we write a program that could warn users? Or, are all web hits archived so they don't have to monitor in real-time. If this were the case such a warning would be useless.

Also, is it any suprise companies are reading email, it's as simple as:

root> cat ~"user"/mail/inbox | grep "insert offensive language here"

50 ways to move your mail (couldn't resist...

[namespan]

The problem is all inside your head, he said to me
The answer is easy, if you see it logically
I'd like to help you in your struggly for privacy
there must be
50 ways to move your email

Get Yahoo, stu...
or Hotmail, Gail..
there's freeshell, Del,
Just listen to me
go get Hush, Gus,
we don't need to discuss much
and get PGP, Lee
and set yourself free

(I don't want to slashdot freeshell, but if you look hard enough, you can find them)