Slashdot Mirror

← Back to Stories (view on slashdot.org)

Protecting Your Company While Protecting Privacy?

Posted by Cliff on from the avoiding-the-juicy-email-situation dept.

gmhowell asks: "After reading this story on Slashdot, it seems to me that I haven't heard of a good proposal from employees regarding their e-mail/browsing privacy compared to the demands that a company avoid lawsuits. I manage a small business and am well aware of how bizarre the EEOC and others can get when it comes to sexual harassment, racial quotas, etc. For example, if a delivery person flirts with a secretary too much, is it UPS who has created the hostile workplace? Nope. It's my company. Similarly, the company can and will be held liable for any e-mail sent that ends in '@familyhealthcarepa.com'. So we really should be monitoring all e-mail, both internal and external. However, most of our employees are trustworthy, hardworking, and not interested in using our system to create mischief and I really don't want to turn into 'Big Brother'."

"Sure, I'll block a URL here or there but spot checking e-mail? How long until some smartass comes up with a .sig containing all of my keywords?

In general, people are going to be more productive if they take their five minute break at their terminal browsing than screwing around by the coffee machine. Along the same venue, I am not interested in tracking 'abuse' (such as hitting eBay, checking the sports scores, etc.) If someone is using that much time that it interferes with their job, I'll be speaking with them regarding their dereliction of duties in general, and not speaking to them about Internet usage in particular.

So, again, I pose the question: what sort of policy and procedures will protect the privacy of employees' surfing and e-mail, while still protecting my company from liability?"

25 of 184 comments (clear)

  1. Re:Totally wrong solution by Analog · · Score: 4
    Bingo.

    The law has determined that you need to be held responsible for the actions of any individual who works for you, which requires draconian privacy invasion in order to protect yourself.

    So do it.

    However, make sure your employees know why you're doing it. Tell them you have no interest in their activities, but must monitor them in order to avoid very expensive lawsuits. Then give them a list of phone numbers and addresses, and let them know if the liability can be changed, so will your policy. You'd be surprised at how many otherwise disinterested people will take an active role in politics (if only by making sure to vote or writing their congressman every so often) when you bring it home to them how these laws affect them on a day to day basis.

    A good way to get them motivated would be to explain that most of these laws are created from the standpoint that employees are pretty much considered to be 'company property', and have no inherent privileges or rights; only those granted by the employer (which is why companies can be held liable for any activities which employees engage in, even sometimes outside business hours).

    Do a good job of informing your workforce, and they'll think twice about voting for that yo-yo who says he's only trying to "protect the children".

  2. Suggestions for a Saner Workplace by jd · · Score: 3
    Here are some thoughts on how to make a workplace sane, given the current lawsuit-happy environment and the problems of abuse, vulnerability, etc:

    • Have "Safe Rooms". These rooms are officially =outside= the company, have a different IP address and domain name, have a different phone number, and are essentially "safe havens" for which the company can legitamately deny any responsibility.
    • Make available to ALL employees copies of:
      • The Verbally Abusive Relationship
      • The Road Less Travelled
      • Healing The Shame That Binds You
      • AA's "Big Book"
      • AA's 12 & 12
      • People of the Lie
    • Provide personal alarms to all employees, with the understanding that it's not "being weak" to use it.

    (I'm sure there are other excellent books, too, those are just the ones I can think of which help people to figure out where they want to draw their limits, to recognise warning signs, and to work out any issues of their own, without the company needing to get involved.)

    IMHO, this is exactly the same fight that mill workers had with mill owners, at the start of the Industrial Revolution, and has exactly the same answer as Robert Owen determined. An educated and sane workforce works better than a hurting and hurt one.

    --
    It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
  3. Contextualizing Email by Effugas · · Score: 5

    Stop.

    This presumption that all emails can and should be logged comes from the presumption that emails are equivalent to official memos from the corporation.

    They're not, and shame on anyone who would argue differently.

    The fact that harassing comments may be spoken at the water cooler does not obligate the company to install an audio recorder at that cooler. The fact that harassing comments often are spoken over telephone lines assuredly does not obligate a company to record all calls made to and from the office building. The fact that E-Mail can occasionally lead to harassing comments as well does not obligate the company to violate the privacy of its workers.

    Now, given an active suspicion(usually brought upon by an aggrieved party commenting to his or her manager), it's justified ethically to verify the charge by watching traffic in a limited manner. We wouldn't want someone to lose their job without their sins being proven.

    But to say that employers are mandated by government to spy on everything their workers do obscures the fact that the government itself is mandated a privacy violation infrastructure be built into every single workplace in the name of "protecting us from ourselves."

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com

  4. Not meant that way by Bruce+Perens · · Score: 3
    It's not meant to be a non-compete, but I see your point. The particular situation that came up is that we found a really good deal that essentially nobody knew about, that got worse if more businesses participated. One of the employees wanted to take advantage of the deal for his own business in a way that would sour it for us. So, I asked him not to do that, and he agreed not to. But you are right that it should not read as a conventional employee non-compete, and I will fix that.

    Thanks

    Bruce

    --
    Bruce Perens.
  5. From the Linux Capital Group employee handbook by Bruce+Perens · · Score: 5
    It's OK to use this text under the GNU Documentation License. I plan to put the whole handbook out as free software when I have time.

    Bruce

    Systems Use and Privacy

    In order to facilitate communications and business operations, the Company uses a number of devices, objects and systems. This includes but is not limited to mail, e-mail, telephones, desks, common areas, cabinets, files, computers, networks, passwords, voice mail, etc. Access can be made by the company to any or all of these items or systems at any time. Employees should not assume that contents of messages are confidential and will be only reviewed by the employee.

    The Company does not guarantee the security of the Company's systems, computers or telephones. If you need to communicate in a secure fashion, do it outside of Company buildings and without using any Company equipment or facilities. We employ technical experts who are able to read your computer data and tap your phone.

    Members of the executive staff, the employee's supervisor, or another employee at the direction of a member of the executive staff, may access, monitor and act on any message or communication or data in any system at any time and may view and consider and act on the contents of any item provided for use in the normal course of company business.

    None of this, however, conveys authorization for any employee to eavesdrop. The email, files, and other communications of your co-workers are not your business and you are to avoid situations that would expose you to them unnecessarily. "Snooping" is unethical and you are liable to be terminated if you engage in it.

    Our systems are never to be used for pornography, email spam, ethically questionable or unprofessional activities. Internet service is widely available outside of the Company at low cost. Do not consider us to be your "Internet provider": our Internet facilities are only for work. Internet communications that are not part of your job should be carried out using an outside internet provider, a non-Company email address and non-company URLs.

    In a nutshell...this means don't be doing nasty or illegal things in the office or on our networks. Respect the fact that your co-workers have access to information on the network and the computers and they would like to be able to respect you in the morning. The Company reserves the right to inspect information and work environment at any time, with or without notice

    No Personal Businesses On-Site

    It is understandable that many of the Company employees are entrepreneurs and may have one or more companies or separate enterprises, outside of their interest in the Company. It is our desire to nurture and respect the mindset of the entrepreneur. However, under no circumstances shall any employee of the Company run their own company at or through the Company. The use of the Company resources to conduct said business is strictly prohibited. All such enterprises shall be conducted completely off-site and shall not in any way be connected to or interfere with the normal operation of the Company

    It is understood and accepted that occasional phone calls will need to be made or taken with regard to personal business. However, there shall be no routine phone calls. There shall be no connections with your personal enterprises and the Company. You are not authorized to use computers, addresses or other Company property, licenses or identification numbers to conduct your personal enterprise. In addition, you shall not use to the advantage of your personal enterprise any business information acquired on the job, at the Company.

    --
    Bruce Perens.
  6. You need a legal opinion not a tech one by gelfling · · Score: 5

    Even if you monitor what are you monitoring for? Who does this protect? While it may afford the company the excuse that they can go after an employee it does not protect the company from anything per se. Moreover if you have an official policy of monitoring AND ALSO filtering then the company is setting itself up to NEVER send out anything that is in violation of the policy. That is, if you claim you are in compliance then you in fact HAVE TO BE in compliance and you may be exposing the company to even more trouble. In this case the liability is clear regardless of who sends out the offending email. Therefore you again have not actually protected the company from anything unless you the email admin can guarantee the process.

    You need to consult an attorney. You may also want to investigate some kind of business insurance to cover litigation and damages that may result.

    1. Re:You need a legal opinion not a tech one by KahunaBurger · · Score: 3
      Moreover if you have an official policy of monitoring AND ALSO filtering then the company is setting itself up to NEVER send out anything that is in violation of the policy. That is, if you claim you are in compliance then you in fact HAVE TO BE in compliance and you may be exposing the company to even more trouble.

      Wrong.

      Lets say the magic words again, everyone : "good faith effort" Aside from the (IHMO sexist backlash of) hysterical overreaction to sexual harrassment claims, the reality is very different. You as an employer are not held responsible for everything an employee does. But you are responsible if you condone it, if you have policies which make it easier on the harrassers than the harrassed, if you don't take early complaints seriously, etc. If you have a policy, you tell people where they can complain, and you make a good faith effort to follow up, you do not have a problem.

      Then again, in the real world (outside of the backlash hysteria) a lot of individuals and companies don't have a problem even when they don't do it right. (begin rant)

      Real life example. A lifegaurd for a city pool sued the city because of pervasive sexual harrassment by her supervisor. The city had a sexual harrassment policy and displayed it at city hall, but the employee worked only at the pool and never saw it. When she tried to complain to her supervisors superior they lied/didn't know better and told her that there was nothing that could be done about it. One of the lower courts ruled that even though they had completely failed to do anything useful with it, the city was still protected from the complaint just because of the existance of a formulated policy. (in this case even a bad faith effort is ok, apparently). The case was under appeal when I heard about it, I don't know the final outcome.

      Another real world case for those who think a flirting UPS man will lose them their business. large supermarket chain had a store manager accused of sexual harrassment bordering on attempted assualt. Their solution to the problem was to maintain his "rank" but switch him to another location where no one had heard about his past behavior. There he was given enough athority over a small enough crew that he could one night order everyone home but one woman at lockup time and rape her in his office. When she found out about his prior complaints and the way the chain had responded to them, she sued. On her last appeal, the court ruled that the chain had not acted in negligence, and she had no standing for such a claim. They did say that she could file a workers comp claim, because the "injury" arose out of normal work conditions. Wanna guess which state thinks having a known sexual predator arround is just something the company can't be expected to change? Massachusetts, home of the "liberal, activist" court.

      Now I keep hearing people rant about these overeacting sexual harrassment claims, but I've never actually heard a authenticated, or even first hand report on one. Out in the real world, it looks like the companies can protect themselves just by having a policy, distributing it and sticking with it, harrassers can protect themselves by being "good enough" that their supervisors turn a blind eye or reassign when too many people complain, and the harrassed can protect themselves.... how? I don't know. make a complaint and hope anything useful happens, then go out and listen to your friends complain about the nuetered corportate culture they're imagining.

      Rant over, gotta go to bed.

      -Kahuna Burger

      --
      ...will work for Chick tracts...
  7. Wierd thought - disallow email. by Christopher+Thomas · · Score: 4

    If your company is liable for any email originating from it, then a logical solution is to block outgoing email from most users. Give the company a few official contact people who talk to clients directly, and act as go-betweens for other work-related email.

    Non-work-related email can be handled through home accounts, POP3 to an employee's ISP's mail server, web mail, or what-have-you.

    This is draconian, but it does virtually eliminate the problem of liability for outgoing email. Internal email management is left as an exercise to the reader.

  8. Encryption policies? by swb · · Score: 3

    What about policies regarding the use of strong encryption in the office? For example, what if I do my "off limits" business at work in a completely encrypted fashion, but for whatever the reason the light of suspicion falls on me. If I refuse to reveal my key(s) which can then reveal the evidence against me, should the company be able to fire me because of that?

    In other words, should there be an organizational policy on encryption? Such as something like:

    "Only organizationally issued [and hence escrowed] encryption software and keys may be used to secure communications. All other encryption may be construed as evidence of prohibited behavior." or some other kind of legalese.

    To me this seems more draconian, but at the same time if the stated goal is maintaining comapany control over the computers and the data, I can't see how you could allow an encryption free-for-all without causing problems.

  9. A way to verify contents without snooping by wtpooh · · Score: 3
    I have always wondered about the use of email evidence in court - it would be relatively easy for company A to invent nasty email messages from company B, all the way down to A's incoming mail server logs. If company B was not archiving all outgoing mail, it would have no way to prove that those emails were not genuine.

    So, what if the B's mail server logs only a checksum/hash of all outgoing mail? Then B would have evidence that could counteract A's account, but would not need to be intrusive or store huge amounts of email forever. While having each user PGP sign their documents would serve the same purpose (and be more reliable, since it would provide definite proof of a forgery), this system would be much easier to implement on a companywide basis.

  10. Having cake, eating too. by lythander · · Score: 3

    Being in a similar situation, I have also pondered this koan, and believe it truly unsolvable. You want to to only monitor true abuses, not minor nit-picky transgressions, and respect privacy as much as possible.

    Can't be done.

    You need must monitor every email is you're to catch those creating true liability. You must log every page view if you're to catch the porn surfers. If you sample these things, those you catch can accuse you of singling them out. If you smple, you might miss some doosies. And as the filter companies have shown us, these sampling and filtering methods do not work (yet?).

    Perhaps what you need is a modest plan involving user education, a written policy protecting user privacy and agreeing to full disclosure when it must be violated in the course of some investigation, and enough documentation to demonstrate due vigilance wrt these issues in case a suit arises.

    In the end, those who want to bad enough will screw everything useful up for everyone. The trick isn't on preventing it so much as being able to prove that you made every reasonable attempt to prevent it.

  11. How is Paper Mail Handled? by SEWilco · · Score: 3
    When I send a paper letter to you, does your company have people who review every letter which is received or sent?

    No, I'm certain the paper mail is simply delivered to your desk. The same way outgoing paper mail is handled, and interoffice paper mail. The mailroom leaves the responsibility with the individuals involved.

    If you remember your business letter standards, how you sign your letter is also an indication of whether you are speaking for the company or not. The responsibility with paper mail is with the individuals.

    Why change things for electronic mail?

  12. Some experiences I've had by RobertGraham · · Score: 3
    You can't avoid lawsuits in America; don't pretend there is a magic pill that will solve your problems. As for monitoring e-mail, there are no good standards yet. You cannot monitor all e-mail, but if an employee comes to you with a harassment complaint, you had better be prepared to start monitoring the offender's e-mail.

    I've documented similar experiences at: http://www.robertgraham.com/pub s/firewall-pr0n.html

  13. Liabilities by interiot · · Score: 3
    This is what can happen if you don't monitor your employee's emails. Chevron had to pay $2.2 million to employees because it allowed its internal email system to be used to transmit sexually offensive jokes.

    This page lists a few more lawsuits from company liability about email. To limit liability in such cases, they suggest:

    • Have an Explicit Written Email Policy
    • Have an Explicit written email monitoring policy
    • Have a User Education Program
  14. This is going to be unpopular, but... by pangur · · Score: 3
    You know, this is your company, your capital, and your ass on the line. If some 'smartass' is going to put keywords into his .sig to annoy you, this same 'smartass' could sabotage you in other ways ("He wants me to make another cup of coffee for him, who does he think I am? I'll show him."). If your employees have an issue with their e-mail being read and their web usage tracked. you can remind them of some facts:

    1) They can have all the e-mail and web surfing at home that they want. Even for free.

    2) You paid for the computers and the internet connection. You get to dictate terms of use. If they want to "represent" the company they need to abide by your rules.

    3) If they screw up and get you sued, you can fire them. You, however, can lose your business. Being the one to put your neck and reputation on the line by starting a business means you take more risks and can get more rewards. Don't let someone take that away from you because they wanted to "show you".

    Overall, if they are adults, they should realize the responsibility that they have to their place of work. If they want to violate your policy and expose you to risk, then someone else can hire them and take the risk. Or, they can become self-employed. Then they can see what it is like to have themselves exposed to risk.

    All my programs have a purpose. This one, for example, takes the contents of RAM and places it in a file called 'core'.

  15. Bizarre Assumptions, Good Advice by Liza · · Score: 3
    As a former plaintiff's lawyer for civil rights cases, I sure wish it was as easy to win millions for the victims of harassment as GMHowell seems to think.

    Standard Disclaimer: I am not your lawyer.

    The fact is, if you have a business of more employees than you can count on one hand, you should probably have policies regarding personal use of the phone, Internet, and other office resources.

    This does NOT mean just write them down and stick 'em in a file cabinet. That's how you get in serious trouble with plaintiff's lawyers. What you SHOULD, do is this:

    Tell your employees what kind of behavior you expect of them. Enforce it. Don't tolerate harassment -- sexual or otherwise.

    Your employees are not stupid. You can explain that a flirtatious UPS driver, or even going out for drinks with the office after work, are different from employees making frequent sexual comments about other employees, different from turning a blind eye to employees who send sexually explicit URLs around the office or spend time at work surfing those sites, and different from employees who hit on other employees and give them worse work assignments after being rejected.

    That last thing -- that's where most employers who get nailed in lawsuits really get nailed. People who end an on-the-job romance (or refuse to have one in the first place) shouldn't have to worry that they're going to get lousy assignments, no more promotions, or lose their job as a result. As an employer, you need to see to it that those things don't happen.

    --
    These opinions are my own. My employer is not aware of them, does not endorse them, and is not responsible for them.
  16. Strengthen internal communication by marshall11 · · Score: 3

    Technology is not going to protect you from lawsuits because technology did not cause the lawsuits. Just because it is easier for employees to keep in contact with people from outside the office throughout the day does not mean that your chances of getting sued increase. When it was fax machines and snail mail, wasn't there also still butt-slapping and memo-boards? The situations in which a sexual harrasment or other company damaging claims could occur weren't able to be stopped by technology back then, and they aren't going to be stopped by technology now.

    Some of the solutions were already in your question. (1) Hire dependable, hard-working, trust-worthy people. (2) As your company grows don't let them lose touch with each other or resources for help in case something does happen to them. In other words, get a strong, honest, HR director or department, someone your employees feel is on their side and not the company's. (3) Talk to a good consulting firm that handles HR issues like workplace grievances and see what they recommend (4) and since it will happen someday, get a good team of lawyers.

    The solution to the issue of unwanted lawsuits lies not in controlling outside contact, but strengthening contacts inside the office.

  17. Put simply... by Dr+Caleb · · Score: 4
    They are adults.

    At least they should be considered so.

    My company has a simple policy - pretty much open internet. Some sites throw up red flags and are blocked (such as playboy.com).

    We publish the companies internet usage policy on the intranet home page. No one has the ability to change that home page. They are required to bide by the rules of internet usage.

    If they don't, the rules are simple - termination.

    And we make a big deal out of it. Terminations are not announced (the rumour mill takes care of that...), but when employees are convicted of having soft/hard/child pron on their machines, a letter of explanation goes out from the company president.

    It's amazing to see the internet usage ramp down for a few weeks!

    --
    "History doesn't repeat itself, but it does rhyme." Mark Twain
  18. The Death of Common Sense by Scot+Seese · · Score: 3

    Haven't we conclusively proven already that one lawyer can cloud legal judgement, and a committee can completely kill the publicly accepted standard of common sense? You most likely allow your employees to use their break time to telephone a loved one from work; If they are instead using their lunch time to call their ex, whom in this scenario has a restraining order against them, are you laterally responsible for providing the telephone at your workplace?! If an employee puts THEIR stamp on a piece of personal mail, and drops in in the company's outgoing mail chute to save a trip to the post office, are you responsible for it's content? I could only hope that if an employee were using your company email to send or recieve objectionable material, the parties involved in any subsequent legal action would be.. the sender, and the receiver. You are running a company, employing adults, not running a day-care center. If your IS manager came to you and suggested that SOMEONE on the network was sending/receiving an inordinate amount of email, it would warrant a short conversation regarding the limitations of personal usage. What is being discussed here, in abstract, is the problem with the US legal system and society as a whole, that being the Death of Responsibility. It's always someone else's problem, isn't it?

    --
    THIS SPACE INTENTIONALLY LEFT BLANK.
  19. simple things you can do by rhombic · · Score: 3

    There are a few simple things you can do to cover your end and make employees life easier:

    1) Have a written internet policy. Work it over carefully. And have every employee who gets a internet-connected computer sign that they've read, understand, and agree to abide by the agreement.

    2) Business e-mail is the same thing as letterhead. Employees don't use letterhead for personal correspondance, they shouldn't use business e-mail for personal purposes. Hotmail, yahoo! mail, go mail, there are a hundred free e-mail services out there that work just fine. Simply make policy that the business e-mail is business use only. Period. Help users setup hotmail/yahoo/whatever if they want. Bingo! You have no ethics problems with full logging/reading every e-mail that goes through. There are no personal/privacy issues to deal with. If an employee gets caught using it for personal purposes, there's no reasonable expectation of privacy since you've already stated that it's business only and will be logged.

    3) Make policy on personal web-browsing. Make it clear what is not acceptable. And deal with abusers promptly.

    4) Sexual harassment: this is only a real problem if something is brought to your attention and you fail to act on it. If the delivery guy is being inappropriate, you ought to be on the horn to the local delivery office immediately if not sooner! As soon as you mention "sexual harassment" and "we're discussing this with legal" the guy will be on notice, and if it happens again, he'll be fired. Guarenteed.

    --
    1984 was supposed to be a warning, not an instruction manual.
  20. Further Reading by ATKeiper · · Score: 3
    We have an archive of related articles on our Personal Security page, here: http://www.tecsoc.org/persec/pers ec.htm#workplace

    - A. Keiper
    The Center for the Study of Technology and Society
    Washington, D.C.

  21. Disclaimers by zlite · · Score: 3

    A lot of banks and law firms (who are most vulnerable to liability) automatically append boilerplate disclaimers to the bottom of all outgoing email. Is it irritating? Yup. Does it work? Maybe. But it certainly reminds employees that liability and responsibility are issues that they should keep in mind.

    Most importantly, it may be able to save you the ugly mess of an email screen.

  22. Educate them by MagicYoshi · · Score: 5

    I've always felt that when you give people all the information, they often can be trusted much more.

    When I was in college, I was involved with a school program that was being threatened with being shut down because incoming students would complain that they were pressured into drinking. However, there were 400 students involved in the program and there was no way we could police them all. The students in charge of the program appealed to the other students, explained the problem and explained the consequences and we had almost no problems. A couple of years later, it had become a "rule", and it's now a problem again. My point is that when we explained the situation, they wanted to help and were able to.

    As far as the UPS person flirting with a receptionist, if you receptionist has some sort of way of getting help or discreetly calling someone into the room, the flirting will not be a problem. I would think any judge would look at that and realize the company had done all it could. But then, IANAL.

  23. Open source to resist? by crgrace · · Score: 3
    I worked at a federal laboratory several years ago and the systems there were under tight security. Every time you logged in a message would come up that what you did could be observed at any time by Lab employees or Federal law enforcement. Pretty freaky. In my group, though, someone wrote a LISP patch for emacs that warned when the sniffers were lurking. Whenever the Lab would be watching what you were doing a message would come up on the emacs message bar saying "Big Brother is Watching". This was right about when the WWW was starting to become popular (we used Mosaic on sunOS!) and I don't think the lab could track web hits yet, so I guess it was checking what directories you were in and what files you were editing to see if your account had been hacked.

    It's a very hard problem for the Lab I'm sure, pitting the need for open exchange of ideas between researchers against the need to protect the security of what we were working on.

    Anyway, now that there are programs that can monitor web usage, could we write a program that could warn users? Or, are all web hits archived so they don't have to monitor in real-time. If this were the case such a warning would be useless.

    Also, is it any suprise companies are reading email, it's as simple as:

    root> cat ~"user"/mail/inbox | grep "insert offensive language here"

  24. 50 ways to move your mail (couldn't resist... by namespan · · Score: 3

    The problem is all inside your head, he said to me
    The answer is easy, if you see it logically
    I'd like to help you in your struggly for privacy
    there must be
    50 ways to move your email

    Get Yahoo, stu...
    or Hotmail, Gail..
    there's freeshell, Del,
    Just listen to me
    go get Hush, Gus,
    we don't need to discuss much
    and get PGP, Lee
    and set yourself free

    (I don't want to slashdot freeshell, but if you look hard enough, you can find them)

    --
    Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.