UK Employers May Read Employees' Mail

Martin Spamer writes: "The BBC reports that today the UK introduces Controversial new regulations (RIP) giving employers sweeping powers to monitor their workers' e-mails and Internet activity. Campaigners say the rules, under the new Regulation of Investigatory Powers Act, are an assault on personal privacy." I guess I just don't see it. If I was gonna bad mouth my boss, I'd use my domain as the e-mail address, and PGP crypt the message. It's not so simple when you're using, say, a corporate laptop on your couch at home on a Saturday night tho.This bill was passed a while ago - but this is the day it takes effect.

Just encrypt e-mail with a proprietary algorithm..

[AFCArchvile]

...and make decrypting it a violation of the DMCA.

Luckily for me...

[manichawk]

I'm working for an UK ISP, so the odds of my emails etc being checked without me knowing are incredibly low. However, this might turn out to be a real pain if we get told to start checking our customers emails...!

Re:Luckily for me...

[Xugumad]

It shouldn't cover your customer's e-mails, only employee's e-mails.

Re:Luckily for me...

[arivanov]

If you are porviding business mail hosting as some UK ISPs do you must brace yourselves to be ready to order such service. In both technical and moral terms. The employer is entitled to read the business mail of its employees. This is valid only for hosted business email though. Not for personal.

Hot off the press (well nearly)

[billybob2001]

The BBC reports that today the UK introduces Controversial new regulations (RIP)

Actually, it came into force yesterday.

Re:Hot off the press (well nearly)

[henley]

A fair call, however note that esteemed UK news organisations have only just got up a head of steam (or crawled out of the nearest watering hole; pick your favourite explanation) and caught on to the fact. Hence although it became law yesterday, it's making the news today.

Re:Just encrypt e-mail with a proprietary algorith

[verbatim]

Have you thought about patenting that idea?

sounds like a good one ;)

I don't understand

[_UnderTow_]

"Campaigners say the rules, under the new Regulation of Investigatory Powers Act, are an assault on personal privacy"

How is this an assault on PERSONAL PRIVACY? You are sending mail and surfing while on company time and you whine because your employer wants to see how you are using it's resources. If this were the government monitoring it's citizens I could understand, but not a company monitoring it's employees.

Re:I don't understand

[radja]

my break is my time, not my employer's. and my employer better not snoop on that...

//rdj

Re:I don't understand

[11223]

Yes, but (on your break) do you use company equipment to send email? Is it not their perogative to monitor any usage of equipment they own? Go take a walk to the local library and then send your email, okay?

Re:I don't understand

do you use the company toilets ? i assume you have no objections to us distributing CCTV snaps of your pee.

Re:I don't understand

[TA]

Think of ordinary (snail) mail. Somebody is sending you a personal or otherwise private letter, either to your working address because that's the only address they have, or your post office has temporarily re-addressed mail to you to your working address because your're moving or something. Now, do you think it's right that your boss can open your private mail?
Obviously if it's snail mail or "e"-mail this is no different.
TA

Re:I don't understand

[_UnderTow_]

Do you seriously think that employees are waiting until their break times before sending personal email? That they only surf the 'net while on breaks?

If so you are in serious need of a reality check

________________________________________________ __

Re:I don't understand

[Xugumad]

Does it use their resources? Certainly, if someone was having significant amounts of personal mail (as people tend to, with e-mail) arriving at work, then I would expect employers to quietly ask the employee just what was happening.

I'm sure infact, that if employees were getting 5-10 personal letters arriving at work (I'm guessing based off my own e-mail quantities), a similar bill would probably follow shortly afterwards, for personal mail.

If you want to keep it private, don't involve work in it!

Re:I don't understand

[ShieldWolf]

American's confuse me in this respect: why is it that you are so paranoid of goverment intervention in your lives, yet you don't think twice of CORPORATE influences?
I mean, your country and your values are being sold down the crapper to big business and you don't even seem to care. Snooping is wrong NO MATTER WHO DOES IT. If I call my Sister on the phone at work it doesn't give my employer the right to record the conversation. There are laws against recording conversations here (Canada) where the recording party is not present in the converstation. The same should apply to email. If I don't write my boss he shouldn't be able read my mail. HOWEVER, he _should_ be able to read the headers to know _where_ I am sending my mail because indeed it is a work resource and he should know if I am wasting my time. I just have a big problem when people assume that because your company owns the equipment and resources you are suddenly in 1984 where you have no rights to privacy. This is wrong.

-Shieldwolf

Re:I don't understand

[f5426]

> You are sending mail and surfing while on company time and you whine because your employer wants to see how you are using it's resources.

So, in your book, your employer can read your mail. Your employer can tap your phone. They can put microphones in your cubicle. Should they put electrods on your head too, to monitor what you think ?

In your book, and employee is also just a resource that the company can monitor.

I find something weird in that. I am not a resource. I don't want to be a member of a society that consider myself as a resource.

Cheers,

--fred

Re:I don't understand

[nlvp]

I see your point, but I don't agree.

If someone is in an office, and receives an email from their doctor, giving them information about an appointment, that information should be private, as it is none of the company's business (at least in most cases).

The fact that the company owns and controls the vector that is being used to communicate the appointment is, in my opinion, irrelevant in any reasonable moral context. They may own the laptop, but they have no right to the proprietary information flowing between me and a third party. Because email leaves a trail, it is inherently less secure than paper mail - if I use a company pen to write a letter, they can't snoop on it, even if it's written on their paper, but because with email they can, they do...

A related point is that The RIP bill, as far as I understand it, means that they can do this without informing you of their intention to do it prior to the fact, so someone a little less clued up than your average Slashdot reader may be writing in the belief that it is private.

And what makes you think the library isn't snooping? Or the Cybercafe? Or your ISP? Or your telephone company?

Whichever way I look at this, I don't like it.

Re:I don't understand

[mindstrm]

And they won't.. as long as you aren't using THEIR equipment and THEIR bandwidth to do stuff.

Re:I don't understand

[f5426]

lol. How true

--fred

Re:I don't understand

[TomV]

How is this an assault on PERSONAL PRIVACY? You are sending mail and surfing while on company time and you whine because your employer wants to see how you are using it's resources

Because RIP is not the only new legislation bearing on this matter.

It's going to take a fair bit of fighting in the courts to establish what takes precedence - this aspect of RIP, or either of...

• The latest cut of the Data Protection Act, under which it's a criminal offense for the employer to monitor personal communications without the consent of both parties, so long as there's sufficient evidence that the communication is personal (e.g. "[personal]" in the subject), and..
• The Human Rights Act, which (at last!) gives us, amongst others, the right to Privacy, and to private personal communications in the workplace.

As was in fact mentioned in the (broadcast) BBC reports on this story this morning on Radio 5. Just before their loopy debate on whether email actually serves any useful purpose whatsoever.

TomV

Re:I don't understand

[dillon_rinker]

You are sending mail and surfing while on company time and you whine because your employer wants to see how you are using it's resources.

Bad logic.

When you go to the toilet, you are using your employers property, and are possibly doing this on your employer's time, and may even be engaging in obhjectionable practices. Does your employer therefore have the right to install cameras in the toilet and watch your activities there?

Re:I don't understand

[hawk]

>If someone is in an office, and receives an email from their doctor,
>giving them information about an appointment, that information should
>be private, as it is none of the company's business (at least in most cases).

1) then don't get it at work.
2) if it's just the time to come, and you go during office hours, it *is*
the company's business.

>The fact that the company owns and controls the vector that is being
>used to communicate the appointment is, in my opinion, irrelevant in
>any reasonable moral context. They may own the laptop, but they have no
>right to the proprietary information flowing between me and a third party.

??? And you get to decide what goes between the "do not look" veil? This
makes industrial espionage just too easy.

And again, you have no "right" to use the company's machines in this
manner anyway.

hawk, esq.

Re:I don't understand

[Bug2000]

In the case of emails, why not marking personal emails as 'Personal'. Those emails would not be legally accessible by the employer. And if an employer sees that there are 50 personal emails a day for an employee then he is fully entitled to say he has a problem with it. Privacy is preserved and company working time is monitored. In the case of internet access, I believe that employers should be allowed to say that it can only be used for work purposes and therefore have full right to monitor their employees' navigation. Sort of meeting behalves...

Re:I don't understand

[Zurk]

you have no "right" to sit in the company chair or desk or even walk thru their door. you have no "right" to use the company toilet or even work for them. grow up. its fairly commonsense. if you can pee in the toilet with the expectation of privacy you should be able to surf/email/whatever with the same expectation.

Re:I don't understand

[sporty]

Actually, they can. Sorry, if they actually owned the building... but in most cases they don't, so obviously, they can't. The logic is still right though... its their property.

---

Re:I don't understand

[aziraphale]

Did it occur to you that it is very unlikely that your company cares.

You have to give them reason to suspect something. Return from the toilets with a needle sticking out of your arm and see if the company doesn't take an interest in what you do in the toilet cubicles.

Re:I don't understand

[PD]

If you want to yell "I'm mad as hell and I'm not going to take it anymore" out your window, that's fine. If you want to yell that same thing out of a window that I own, that's a completely different story.

Your boss owns the internet connection, and if he chooses to, he can control what you yell out his window.

Re:I don't understand

[Martin+Spamer]

Under UK Employment law people have traditionally had a "reasonable expectation of privacy" whilst at work.

It was actually illegal for an employer to monitor personal telephone calls. Since personal calls are a common perk in the UK. If they are allowed they should be private.

This was extended to include email (well any personal data on a computer) by the Data Protection Act. RIP, reverses this (and other) legal protections.

Re:I don't understand

[dillon_rinker]

BZZT! Wrong answer. In the US, at least, spying on people in the toilet is illegal.

Re:I don't understand

[nlvp]

??? And you get to decide what goes between the "do not look" veil? This makes industrial espionage just too easy.

No - there's no decision to make - they never look, they have no right to (well, until yesterday I guess).

Industrial espionage 101 :
1. Get confidential documents
2. Photocopy confidential documents
3. Put photocopies in envelope
4. Send letter to competitor
5. Return originals to cupboard

This has been possible for decades. Email didn't rewrite the rules, it just happens to be a vector that *can* be controlled, therefore they pass laws taking away rights that have been taken for granted for generations.

Industrial espionage has always been easy, email didn't rewrite that rulebook.

And again, you have no "right" to use the company's machines in this manner anyway.

Even if that were true (which it isn't unless that happens to be explicit in the terms of your contract or the general terms of employment), once you have sent the message using their equipment, regardless of whether you had the right to or not, they still should not have the right to intercept and read it - they should only be allowed to discipline you for using the company equipment in an unauthorised way. Now, whether the use of the computer was permitted or not, they can still snoop - you have lost privacy in the workplace, which I think is very serious indeed.

Re:I don't understand

[JSurguy]

Does this mean that you would consent to your employer doing automatic drug/health scans on your faeces because you are using a company toilet?

Re:I don't understand

[QuMa]

No, they don't have the right to do that. They do, however, have the right to take snapshots of the toilets, even when you are using them, as long as the photo's don't have you on them.

Re:I don't understand

[malfunct]

I agree, the way to solve this problem is to GET YOUR OWN ACCOUNT AND ACCESS IT FROM HOME. Geeze, how many brains does that take. I think that its perfectly resonable for your boss to monitor what you do with your computer the same way you are monitored on a cash register or the fry machine or whatever. At work you are in a different world, you have in alot of ways sold yourself for the wages you get.

If you don't like it, find another way to get that money you so love to have in your pockets. I am more for rights, privacy and personal responsability than anyone I know but there are certain places where what you do is just public, on the work computer is one of them. So quit whining and start writing those juicy e-mails at home from your own computer in your bedroom, but make sure you encrypt those suckers because you wouldn't want someone to read them. Yikes.

Re:I don't understand

[jeremyp]

You should never consider any e-mail transmitted in clear text to be private. If my doctor was sending such e-mails to me at any place (home or work), I'd take him aside and introduce him to cryptography.

There's lots of stuff in RIP that I disagree with, but frankly, if you are sending stuff across their infrastructure (e- or snail- mail) that you don't want your company to see and you get found out, you deserve to be fired for stupidity.

Re:I don't understand

[shepd]

Ok. Well do they have a right to monitor how often you use the toilet?

How about a list, posted conveniently on the door:

- Urinal usage:
- J Smith - 3x today, average 1:20 seconds. 5 cups fluid collected.
- P Larson - 2x today, average 1:12 seconds. 4 cups fluid collected.

- Toilet usage:
- J Smith - 1x today, average 15:20 seconds. 2 cups fluid, 4 oz. solids collected.

Is _that_ legal? You certainly wouldn't need cameras to monitor this. Just a security guard recording the people/times, and an automatic "sampling" machine connected to the... ahem... toiletry devices.

Where does it end?

Re:I don't understand

[QuMa]

I wouldn't have a problem with that, but when it goes to a chemical analysis I admit it's a bit less nice. I'll agree that it's a slippery slope. However, I still don't have a problem with monitoring computers at work. You have to go to the bathroom at work (well, more or less). However you don't have to use the comp for things you want to keep private at work...

Re:I don't understand

[DaveHowe]

How is this an assault on PERSONAL PRIVACY? You are sending mail and surfing while on company time and you whine because your employer wants to see how you are using it's resources. If this were the government monitoring it's citizens I could understand, but not a company monitoring it's employees.
Personally? I start work at 8:30 am, finish well after 7pm, five days a week (weekends optional). No-one (with the possible exclusion of you, it seems) honestly believes you can cut that big a chunk out of your life, totally excluding any personal business, especially if you are married with children. Excessive personal time during working hours is usually frowned upon, but arranging doctor's appointments, being contacted by your offspring's school and/or arranging your weekend's entertainments is usually accepted as a small overhead for being in business. Employers may well expect such things to take second place to working practices, and in particular outgoing calls should be in breaks rather than while on duty, but it *should* be deeply suspect if an employer decided to pass over an employee for promotion, based on the twice she has phoned her doctor to arrange a pregnancy test.....
--

Re:I don't understand

[Weh]

They own the building that you're using to eat the sandwiches your wife made for you too... Does that give them the right to read a letter you wrote during lunchbreak with your own pen and paper ?

Of course they can monitor the usage of *their* equipment but that's totally different from reading someone's e-mail. the equipment is *theirs*, the content of your e-mail is *yours*. Let them install a cpu usage log if they are so concerned with the use of their equipment. if an employee has too much use, tell him to lower his private usage, there's absolutely *no* reason to read his/her mail.

i don't understand why companies are so paranoid over their employees using the internet too much, if a person doesn't do his job, fire him, if he does do his job then why worry about how many e-mails he sends ? Even in the old days there were a lot of ways to do non work-related stuff at the office, drink coffee every 5 minutes, read newspaper and magazines, write your personal letters and the list goes on... suddenly internet comes along and then companies start worrying about how much their employees use it instead over if they do their job or not, that's stupid.

my theory is that a lot of managers spend too much time on the web and because of that think that all the others must be doing it too...

Re:I don't understand

[Weh]

It's ironic, in Holland the government just passed a law that makes it illegal for a person to read e-mail not sent to that particular person. It falls under the same law as written letters (the constitution is going to be changed to cover electronic commucication). If they read your mail, you can sue them... (of course you'd have a hard time proving it.) I think it's a great law and it shows that 'our' government has at least some sense when it comes to new communication technology.

Re:I don't understand

[Lord+Kano]

That's why it pays to be in the higher eschelon of your company's IT pyramid.

LK

Re:I don't understand

[Denial+of+Service]

That is the dumbest comparison I've ever, ever heard. Black slaves had the snot beat out of them in any situation where they didn't obey the massah. You, on the other hand, earn a presumably comfortable living and are forced to follow simply rules of the office, none of which result in bloody welts across your back. Nice comparison.

If you don't feel comfortable with the potential that your boss can read your e-mail or track web usage, then don't use either for stupid or questionable activities! Jesus, what is this, rocket science? He owns the computer you're on, as well as the bandwidth you are using, and as such, has every right in the world to object when either are used improperly (in his opinion).

Man, I hope your comment was a troll, because the idea that anyone can be so completely clueless sends shivers down my spine.

---

Re:I don't understand

[Teun]

Hawk, what happened in your life to act so simple?
You sound like these guys that were sentenced in Nuerenburg in '48, life is not black and white, there are many shades in between.
We are not talking about abuse, it's simple use that's being put in jeopardy.
Abuse like espionage has always been an offence anyway and can be investigated regardless of the new 'law'.

Re:I don't understand

[Teun]

At work you are in a different world, you have in a lot of ways sold yourself for the wages you get.

Wow, you've just worded the difference between 'US of A' style capitalism and European humanity.

I am more for rights, privacy and personal responsibility than anyone I know but there are certain places where what you do is just public, on the work computer is one of them.

Ha!, 30 or maybe even 20 years ago a computer was indeed just a tool, today it's far more, it's communication regardless of the place of operation.

So quit whining and start writing those juicy e-mails at home

There you go again! mixing up issues, we're worried about private conversation not about irregularities

Re:I don't understand

[Robert+S+Gormley]

I don't think anyone thinks that. The issue is with people who whine about doing something they (in *most* cases) technically shouldn't, and being harangued about it.

Re:I don't understand

[nickco3]

Yes, but (on your break) do you use company equipment to send email? Is it not their perogative to monitor any usage of equipment they own?

When I'm on my break, I use company equipment to take a shit. If they start monitoring said usage, I'll be deeply unhappy.

Re:I don't understand

[ShieldWolf]

My company could reprimand me if they check the phone records. That doesn't give them the right to listen in on the CONVERSATION however.

Re:I don't understand

[TA]

In my opinion your logic in flawed. And, to answer your question, there are many people here where I work who receives many more than your "5-10 mails" (snail-mail) every week. Much more. And I have my guitars delivered at work, because it's convenient (better than the shipper leaving them on the lawn!). So what? Why would the employer mind? Well, obviously they can start to wonder, ok fine. Then just ask for God's sake! Why would the employer have to *open* the mail? And where I live it is in fact illegal by law. The way it works here is that anything shipped/mailed here will be opened by the secretaries if, and only if, the company's address is first, i.e. if it says
To: Company ltd.
Att: Somebody
then the secretaries will open it. On the other hand, if it says
To: Somebody
Company ltd.
(rest of address)
it will never be opened, even if the sender in fact meant it as business mail. The person "Somebody" will then have to open it, and if it's business then get the content registered with the secretaries. Works great and is in accordance with the law.
And of course we treat email the same way! If it's for the employer or the boss or to be archived the sender will have to send the email to a business, not personal, mail account. Works absolutely great, and anything else is IMO criminal. And employer wouldn't dream of it either.
TA

Re:I don't understand

[TA]

The bank owns my house. The bank owns my car. At least until they're paid, but according to the law they're the bank's until they're paid. Now, does that mean that the bank gets a right to record my conversations in the house? In the car? What I'm asking is: Why do you think that because somebody owns the environment you're in, that they also get the rigth to record, listen in to, open etc. everything that *you* own? Why? Why not let them put cameras in the washrooms then?
TA

Re:I don't understand

[TA]

No, the logic isn't right. The bank owns the property I'm living in, according to the law (because it's gonna be a long long time until it's paid). They own the property. Why does that give them a right to monitor everything I do inside their property?
What I can't understand is why so many of you guys are prepared to be treated like a slave, a property, a "resource" of your employer. I don't know why so many of you guys are so willing to accept that you are "owned" by your employer, that you're nothing but a mindless robot and that you can be treated as just any bookshelf or basket. I don't know about you but I sell my working capability to the employer, I'm not selling myself. The employer monitor my work performance by my output, he doesn't measure it by comparing it to my theorethical work performance. After all, that's not what I'm selling him. I'm selling some of my capability, not my whole self.
TA

Re:I don't understand

[TA]

No no no. You don't have to mark mail [Personal] or anything like that. After all, it wouldn't work when somebody sends you an incoming mail, not knowing that it's your work mail address.
The solution is infinitely much simpler: Create a work mail account that's clearly non-personal, e.g. 'aix-support@company.com', 'feedback@company.com' etc. Then automatically archive those mails, make an intranet web interface, put several people on the list of that's useful, or switch to other people while you're on holiday or on mission. This solves a whole bunch of problems:
1: Separation between business/important mails that should be archived and your own volatile and/or private mail.
2: Business customers have one clearly marked "professional" mail address to refer to.
3: No risk of important mails being overlooked or not handled (because you're away or whatever).
4: No need for anybody snooping into your incoming and outgoing mail.
TA

Re:I don't understand

[TA]

Why on Earth to you think that you have "sold yourself"? You haven't and you shouldn't. Are you a prostitute? You have sold a part of your working capability to your employer and that's all. The employer can monitor what he gets back by monitoring your work output, not your goddam mail or phone conversations! He doesn't OWN you! Be slave labour if you want to, and let the rest of us stay human.
TA

Re:I don't understand

[f5426]

Yeah. This is the trouble of the other posters.

They consider property more important than existance.

The salvery comparison was right on the target. There are a lot of part in the world where slavery exists, but where you won't be shot for trying to escape.

You will just die of hunger.

This is the world they are preparing to themselves. Dreaming of 'Changing of employment because of policies' is not something that will last forever.

Cheers,

--fred

Re:I don't understand

[hawk]

simple? I suppse this is.

There's no entitlement to use the company computer. THe simple solution for the company is "absolutely no personal use," at whcih point there is absolutely no objection available to the company reading anything on there.

The next step from here is the company offering limited yuse with conditions. If you don't like those conditions, don't take that limited use.

*nothing* in here suggested that companies could read email on personal accounts, or tap personal phones.

This is really about the company being able to control its assets.

Re:I don't understand

[sporty]

Actually, as lanlord, you are in a management position.

Slaves? Um, I'm not owned. If anything I can take a vacation (almost) anytime I want. I do have some freedoms. But when they lend you equpipt, they need to simply make sure you aren't using it for malicious purposes. I'm sure that when you were a kid, you didn't not get in trouble for abusing the things that were given to you to some point.

I'm sorry, but saying "no" to my boss and his reasoning for trying to get the company to go forward, something that I take some pride in doesn't make me a slave. I don't view my players (on my sports team) as equals to some extent, pawns to use against another team to win and a populous to keep happy so that they have fun and I have fun.

It sounds more like you have a problem with authority and that the company should move to your whims.

---

Re:I don't understand

[Xugumad]

I see your point, although I did mean 5-10 a day. Certainly, I would hope bosses wouldn't care about small amounts of personal e-mail... however, do people open, read, and write responses to their personal snail mail while at work? Because I think that's more what bosses have a problem with.

One thing that also occurs to me, is how could a boss easily determine between personal and non-personal e-mail? Personal snail mail has a tendency to be handwritten, making it more obvious, but personal e-mail looks, without opening it, identical to business e-mail.

If a simple method could be found, so bosses could just quietly bring the issue up with the employee in question, without having to open their e-mails to check, that would be great. I just can't see how...

Fair enough, though

[Red+Moose]

OK, a lf of folks here might shout and scream about privacy, etc., but the fact is that email or web browsing on corporate time should only be for corporate purposes. There were quite a few articles a few years back about email wasting employee time and such.

So I think it's okay to say whatever on your own time, but it seems like an *okay* step to take in work matters, as long as such a law is never evvvvvvver passed for normal home use/personal use.

Re:Fair enough, though

[LemonYellow]

AFAIK the RIP bill allows the government to access any digital information anywhere. Business can't access your home mail, though.

PGP?

[JohnnyWashNGo]

Can't they force you to hand over your key if they suspect something is amiss? So you can either give them access to your encryted mail or walk out the door...

Re:PGP?

[lga]

Under the RIP act several things have changed. First of all the authorities (any authorities, it's badly worded.) can demand access to your email and the rest of your computer. MI5 has a building dedicated to monitoring links from ISP's. Secondly they can demand a decryption key for anything they cannot read. Failure to come up with a key carries an automatic two year prison sentence. Telling anyone that you have been ordered to give access to your email also carries the two year sentence.

Steve

Re:PGP?

[Xugumad]

I beleive they changed the wording slightly. They now have to prove you have the key, before they can send you to jail.

Re:PGP?

[arivanov]

Minor correction.

You do not walk out of the door. If you do, they can sue you for misconduct and than you should give the key to the police which will lawfully request it as a part of the investigation. If you refuse to do so it is 2 years in jail.

That is what RIP is all about.

Clockwork Orange and 1984 all the way.

Re:PGP?

[aziraphale]

But this is PGP we're referring to - PUBLIC KEY crypto. I can't decrypt the things I encrypted - the person I'm sending them to can decrypt them. It's no good whatsoever coming to me and asking me to decrypt those messages I sent, since _I_ can't.

Re:PGP?

[billybob2001]

I now have 138000 something keys, and rising.

They can have them if they must.

And no, I don't believe I have to tell them which one matches which data.

You can't assume privacy in a corporate env.

[Gendou]

Being at work or using corporate equipment to do - whatever... is like being a guest behind enemy lines. Regardless of the company tells you, you're always under suspect and someone will always be watching you. As the poster mentioned, the only way to really be safe is to encrypt anything you have to say that the company might not like. Then again, can they ask you to decrypt whatever it is you send when they find the message?

Re:You can't assume privacy in a corporate env.

[henley]

I've been in this situation. It's easy. "whoops, forgot the password."

Of course, if the situation involves Plod[*], you're now in breach of the Regulation of Investigatory Powers (RIP) act which holds you legally accountable for any and all keys/passwords etc that can be traced to you. Welcome to the Big House, where it's your turn to pick up the soap....

[*]Plod, n: Law Enforcement. The Rozzers, Knacker of the Yard, the Police.

Re:You can't assume privacy in a corporate env.

[crivens]

No no no no. You're not behind enemy lines. That is typical Slashdot "we hate everything that isn't open source, free, Linux or free speech".

You work for a company, you're working on their time. You're using their resources; you're using their servers. They pay your salary. You have a commitment to that company to be responsible with their time and resources.

The company you work for is not your enemy. If that's how you feel then either you should work elsewhere, or you need your head seeing to.

If I ran my own business, and I found out that someone was posting inflammatory (is that a word?) postings on a newsgroup or browsing porn sites or sites that showed you how to make bombs (for example), I'd be pretty pissed off. I'd give them a warning, and then fire them they didn't stop. It would be my company, my rules, my machines, my money and my time. If they then say "but you can't tell me what NOT to browse", I'd say "oh yes I can".

Note that this is my moral position and not my legal position.

Re:You can't assume privacy in a corporate env.

[Peter+Millerchip]

Measure your people
By the output they produce
All else is inferred

Re:You can't assume privacy in a corporate env.

[crivens]

Each to their own. I'd rather not have someone who works for me that is a good worker, but runs a paedaphilia website. Extreme example I know........

Re:You can't assume privacy in a corporate env.

[jeremyp]

No they can't because you've encrypted it with the recipient's public key....

Re:You can't assume privacy in a corporate env.

[Anonymous+Coed]

I'd rather not have someone work for me who is a good worker, but on their own time at home, is a reactionary crank on slashdot. Where do you draw the line?
---

Employee Mail

[NetJunkie]

I'm always amazed that people are surprised that an employer is reading their mail. Users need to realize that the computer they use at work belongs to their employer, as does the network, the internet connection, and the service to keep it running.

Given that, I've never been anywhere that just checked everyone's email. The person they check on has been doing other things that make the employer suspect something is up.

But be warned, there are plenty of applications out now that scan email for keywords whether it be naughty words or things that may be confidential to the company.

Re:Employee Mail

[radja]

>Users need to realize that the computer they use at work belongs to their employer, as does the network, the internet connection, and the service to keep it running.

so is the toilet.. how'd you like a camera there?

//rdj

Re:Employee Mail

[henley]

actually a lot of company toilets do have CCTV

Heh, so if I use too much TP does that count as pilfering office supplies?

oh please oh please oh please let that one go to court....

Re:Employee Mail

[sulli]

Well, of course the employer owns the computer, so the employer has certain rights. But that doesn't make it good practice to do so. I know that if I had reason to believe that my employer routinely monitored my email for anything other than patently criminal activity, e.g. stock manipulation or corporate espionage, I would quit.

Good employers know how to treat their workers. It's up to the employee to choose a company that treats him/her right - particularly in this tight job market.

Re:Employee Mail

[driftingwalrus]

> so is the toilet.. how'd you like a camera there?

Interestingly, what if a certain disgruntled employee where deliberately clogging said toilet? Or lobbing explosive charges down the thing? Would it be justifyed to mount cameras in the washroom so as to identify said employee?

Re:Employee Mail

[Mr_Dyqik]

But UK employers are bound by Health and Safety law to provide adequate toilet facilities for employees. I'd say that providing the time to use them is part of those facilities.

Re:Employee Mail

[gle]

They own the hardware. I own the data.

Sneeking into my data is a violation of my privacy. It is especially dangerous since you have no way of knowing if your mail has been read.
I think it should be allowed, but employees should be warned explicitly in their contracts that their mail can be monitored. Obviously, many people would refuse to work there.

____________________

Re:Employee Mail

[gle]

Ok, so I can't use the toilet during the break because that would be abusing the company's property.
I guess I can't shit on my chair also.
Is this the solution, then?

____________________

Re:Employee Mail

[karnal]

one difference:

highly trained and paid employees don't have to maintain a toilet. Perhaps if there was a 200$ "per port" fee for each toilet (which you could actually say the cost + install of a toilet would outshine this), as well as administration for that "port", then yes.

Another thought is that I can easily "plug" up my employers' network with junk mail etc. That has an effect on everyone here, not just on my port. An aside, however, is you could "plug" up the toilet. But, this only affects the people coming into the restroom (gag, cough)... and the other ports are still open for full bandwidth "dumping".

Just my thoughts...

Re:Employee Mail

[iramkumar]

btw,i do not know of anyone who would like to work in a company (even it be no.1 and pay u like hell)
which does this !!

Re:Employee Mail

[ChadN]

I wouldn't. But what if everyone were issued a key card to gain entry to the toilet (ie. entry time and perhaps duration were recorded)... I stil wouldn't like it, but I can't say it should be illegal for them to do so (I'd just quit, or take a pay raise :)

Re:Employee Mail

[SEAL]

But, this only affects the people coming into the restroom (gag, cough)

I dunno about that. I've seen a few coworkers manage to overflow the damn thing into the adjacent hallway after a healthy christening of the bowl...

Re:Employee Mail

[BoredByPolitics]

Given that, I've never been anywhere that just checked everyone's email. The person they check on has been doing other things that make the employer suspect something is up.

Humph, you obviously didn't work for my previous employer in the UK then. I only found out that one of the Directors was reading everyones email when he forwarded an email to me that I had sent to myself, containing financial details I needed to act on that day!

Even the MD didn't know he was doing this, and was most upset when she found out.

Of course, the response was to formally notify everyone that he was doing this.

Re:Employee Mail

[Teun]

so is the toilet.. how'd you like a camera there?

Well, you just hit a point! Not so long ago I was on this US oil rig (Rowan) offshore Louisiana and I questioned the realy tiny swing doors on the toilets, I was told by the toolpusher they were so small for the purpose of checking up on who was in there and for how long he was off work!

In the cabins (bedrooms) the privacy curtains (legal requirement in Holland) that were on the beds only a year before when the rig was still drilling in Holland had been removed, same reason: the ability to check up who was in bed instead of at the job.......

this style of management makes me sick

Re:Employee Mail

[Robert+S+Gormley]

Then you shouldn't be creating that (personal) data at work, should you?

Re:Employee Mail

[TA]

You are arguing that, among other things, that the employer can monitor your mail etc. because he owns the network it runs on. That's flawed logic if I ever saw it. Of course somebody else than yourself owns the network! The telecom. company owns the network I'm phoning and mailing from at home, it's their property, does that give them a right to monitor my phone and mail? Does it?
TA

Re:Employee Mail

[NetJunkie]

No. Because YOU pay for that service. Your company pays for the service at work. Big difference.

Re:Employee Mail

[radja]

maybe not highly trained or paid.. but still maintained.. and if your companie's toilet is not maintained... well if a company doesn't care about its own hygiene it can't be much.. the flushing toilet was recently voted as the best invention ever. you should care for it ;)

//rdj

Isn't this the same as in the US?

[Enry]

I believe e-mail and internet usage can be monitored by US employers, but only if they notify the employees that montoring is taking place.

However, I seem to remember the outcome of the Steve Jackson Games case was that the govt. treats e-mail just like postal mail (i.e. court order required), but since the machine that sends/stores e-mail is owned by the company, they have the right to do with the contents as they please. This allows companies to monitor e-mail.

Re:Isn't this the same as in the US?

[peter303]

<I believe e-mail and internet usage can be monitored by US employers, but only if they notify the employees that montoring is taking place.>

No. Numerous court cases have said the employer has a defacto right to intercept all communications- letters, email, telephone- that use company resources- address, time, facilities.
However, in this tight labor market it is stupid for an employer not ot be upfront about it,
because people do quit when they find out.

Don't do the crime if you can't do the time.

[grovertime]

First off, not every employee is going to know how to encrypt their messages so Malda's suggestion is hardly universal. But dealing with the issue, I am not necessarily opposed. While laws that regard penalties for anonymous posters (eh-hem) to be responsible for their posts are ridiculous, using your company's infrastructure to degrade it should not be permissable and oughtta come at some sort of risk.

1. 
   My Vote's On This Doofus
   

use PGP

[Lxy]

the company I work for already does this (or so they claim). In the employee policy manual, it specifically states that my employer can read my e-mail, listen to my voicemail, and monitor my internet activity. What's the solution? Use PGP e-mail. Most PHB's don't know what encryption is and are too naive to think their's someone in the company smarter than them. Use anonymizer to surf the web for any non work related stuff. It's that simple.

"You'll die up there son, just like I did!" - Abe Simpson

Re:use PGP

[Zurk]

anonymiser wont protect you. its simple :
Your machine -> Company/ISP -> anonymiser -> website
if they sniff traffic they can sniff your anonymiser sessions since anonymiser doesnt use SSL like hushmail does. and since anonymiser enocdes URLS in the GET/POST request they can be sniffed too.

Re:use PGP

[Peter+Millerchip]

Use of PGP
Like poking sleeping tiger
You will be noticed

Steganography
Ancient art of hiding things
Makes useful ally

Re:use PGP

[LemonYellow]

My company just banned the use of encryption as soon as it got wind of it. Doh!

What can they be sending?

[empesey]

What on earth could you be sending to other employees while at work, that it would matter what you're sending? Anyone, who at this point, is not aware that email is not in the least bit secure, should get what they have coming to them. Personally, I hate it when other employees send crap they download from AOL, thinking they are witty or clever, and that I'd be interested in this droll humour. Chances are, I've probably already seen it anyway.

Has anyone ever noticed it's the technopeasants who send you this stuff (as if they discovered some untapped corner of the internet).

Re:What can they be sending?

[Stonehand]

* Harrassing, 'anonymous' e-mail to your coworkers. I'm not up on British law... but at least in the US, the employer might be liable if he fails to stop it (think 'hostile working environment')...

* Corporate espionage of sorts. Even intra-company. A Payroll employee could broadcast compensation figures, which might be most embarrassing for many.

* Details of conspiracy. More of a potential problem for financial businesses, I'd guess, where disgruntled employees plan an inside job.

Rare? Yes. It happens, 'tho, and if the employee has been acting suspiciously, maybe the employer would want to be able to check. Should he be allowed to? Depends on the rest of British law regarding data privacy...

Hmmm. An employer could go far to prevent this by, say, using a locked-down Linux (or similar) installation without a compiler, and 'noexec' flags on user-writable partitions. A BIOS setup password, LILO password, and using sulogin in /etc/inittab help.

Want to use GPG? Fine. But the local version implements key escrow... And so forth. It'd take a while to set up, perhaps (at least if you want to take into account SSL-capable browsers...), but it might be possible for a paranoid employer.

Re:What can they be sending?

[empesey]

As you say, it's rare but it happens. Even if there was no law passed, I believe that each of those could be dealth with, as a simple matter or corporate turpitude. If a company got wind of a coup against the company, it could always argue that since the computers and everything on it are property of the company, that all correspondences are as well. There'd be a pretty good chance the court would side with the company, since after all, the participants of the email were up to no good. There's always the plea of corporate self defense .

I think more often, the companies would use the newly enacted law to fire people who are passing off-colour jokes or sending those annoying joke exe files - espcecially if the exe files have a virus attached to them. At the very minimum, they could use it as leverage to save some money at evalution time (i.e. no raise for you).

What's wrong with this?

[redmonk_x]

I honestly don't understand why this is even an issue. If you're on company time and using company equipment, then yes, your boss has a right to monitor what you're doing. Go back 20 years ago. If you're typing something and your boss walks over and starts looking over your shoulder, did you tell him to quit invading your privacy?
Just wait until you get home to send those personal emails or download mp3's or look at pr0n or whatever else it is you want to do. That way you'll keep your privacy AND your job.

What about...

[11223]

...employees of backbone service providers? If you send an email badmouthing your boss (you work at, say Sprint or MCI) and it travels through a Sprint or MCI portion of the backbone, even if you sent it from another provider, can they then still read your email, because you work for Sprint or MCI?

Re:What about...

[JurriAlt137n]

doing a good job. My employer will neither check my e-mail nor whine about what I'm doing on the Web as long as I get the job done. Period.

Re:What about...

[mce]

Yes but.

Whether I'm doing a good gob is something my boss has to judge. Wether I'm using e-mail to talk to my bank manager (hey, it's just an example), is somehing that the IT department might decide to look into, whether my boss thinks it's a good idea or not. By the time I can reply with "My boss is extremely happy with my work performance and even stated that he'd like me to have a twin brother such that he could hire him as well.", the damage may already have been done.

Not that the above matters much in my particular case, but in principle it does.

--

If I'm going to piss on anyone

[ackthpt]

I do it over the phone, or from home using my personal email account. I'm so amazed at examples of the following:

People who trash their employers via company email.

People who trash fellow employees via company email.

Executives who say damning things about their company behaviour around a live mic or in email.

How often this sort of thing finds its way public

I'm not surprised at how many dumb people there are int he world, just disappointed.


--

Their servers, their rules

[Masem]

As I commented on in the Linux in the workplace article, the email servers and network connection are there because the companied is paying for the equipment and upkeep of that, therefore they make the rules. Not all companies are draconian on email/internet activity restrictions, so if you don't like that company's rules, get a job elsewhere.

I personally avoid using work email for anything beyond work correspondence, and while certainly not draconian, I feel that it's a responsibility to my place of employment to minimize the use of email for personal business.

Now, if the rules extended to any email/activity from any account even outside of the company's control, then it becomes a free speech issue. (i.e. use hotmail or other web-based emails if you really want personal email at work).

Re:Their servers, their rules

[crivens]

"I personally avoid using work email for anything beyond work correspondence, and while certainly not draconian, I feel that it's a responsibility to my place of employment to minimize the use of email for personal business."

Finally! Someone who talks some sense!

Re:Their servers, their rules

[Detritus]

Not all companies are draconian on email/internet activity restrictions, so if you don't like that company's rules, get a job elsewhere.

I get the impression that many slashdot posters have never lived through a severe recession or depression, where jobs are scarce and getting a job elsewhere is not a practical option. They are going to be in for a shock when their employer unilaterally cuts their pay, and imposes new duties and rules. You don't like it? Quit. There are 100 people waiting in the HR office who would be happy to have your job.

Re:Their servers, their rules

[ShieldWolf]

This is not true; just because you own something doesn't mean you can specify how it can be used. If I lend you my phone, it DOES NOT give me the right to tap or bug it (doing so would send me to prison). Corporations should not be afforded rights that are not provided to individuals.

-Shieldwold

Re:Their servers, their rules

[Masem]

My comment is made considering the IT market today -- if jobs are so scarce, why do we need more H1 Visas?. I know that 5 years, we just might be in a recession, and the market might soak up. Or in my case, the market for chem eng is sufficiently tight that job jumping isn't as feasible in IT at my particular education level. But for most that read slashdot, the employee's market is still very very strong.

What if this gets extended...

[AFCArchvile]

...to include forms submitted to webpages and FTP transfers? E-mail might just be the beginning of this Hobbesian renaissance.

(Hobbesian = compliant with the social philosophy of Thomas Hobbes [i.e.: paranoia regarding the "inherent wickedness" of people and their tendency to do bad things when out of the scrutiny of authority])

Ok, repeat after me.

[arkham6]

Everyone who's screaming about personal privacy being violated, please repeat after me. "The machines my company gives me do not belong to me. I have no rights to privacy on company machines. I cannot do whatever I want to company machines. I cannot install Linux on company machines if they don't tell me I can. I can be looked at any time to see what I am doing on a machine that the company is loaning me to do work for them. If I want privacy and the ability to do things to machines, I can do them to machines that I actualy own. Otherwise, I will not whine."

Now keep saying that until you grok it.

Re:Ok, repeat after me.

[Ndog]

You know, I agree with you. Every day, when people log on to US government machines, they recieve a message along these lines:

***WARNING***WARNING***WARNING***WARNING*** YOU HAVE ACCESSED A UNITED STATES GOVERNMENT COMPUTER. USE OF THIS COMPUTER WITHOUT AUTHORIZATION OR FOR PURPOSES FOR WHICH AUTHORIZATION HAS NOT BEEN EXTENDED IS A VIOLATION OF FEDERAL LAW AND CAN BE PUNISHED WITH FINES OR IMPRISONMENT. (PUBLIC LAW 99-474) REPORT SUSPECTED VIOLATIONS TO THE INFORMATION TECHNOLOGY SECURITY OFFICER. ***WARNING***WARNING***WARNING***WARNING***

Yet people still don't get it. So many people think the machine belongs to him/her. Crap shareware is installed, they instant message all day, browse the net, and just generally do things to f-up their systems. That doesn't even include the things that are more than simple time/productivity wasters, like visiting inappropriate internet sites. People should realize that the tools they are given are for work. Sure, certain leeway is given by most companies, but the employees still should be aware that this doesn't have to be the case.

Anyway, I've got to get back to my browsing.

SSH tunnel, anyone?

[Soruk]

There are the obvious solutions, e.g. using an ssh tunnel to an external web proxy and doing all your non-business-related emails through that or at the external shell account at the far end of the ssh tunnel. All you need is a shell account on an external box and a copy of Junkbuster to act as a (non-caching) web proxy to tunnel to. Of course it helps to have sshd running on the remote box too...

now if only I could find a free ssh program that supported port forwarding/tunneling for Windows...

Re:SSH tunnel, anyone?

[Soruk]

Following up my own post... I've found that free SSH thingy. TeraTerm Pro. Dunno what the current version is, but ver 2.3 (1998) is doing the trick.

Re:Just prepping up for the future...

[AFCArchvile]

...in case a law like this is passed in the US.

Actually this is not the full story.

[Arimus]

Coincidentally the UK has signed up to the European Human Rights act, and also recently the Data Protection Act has been ammended. I am unsure how much of the HR act will cover this but...
I do that the DP act states that employers should not subject employees to continual monitoring of their private affairs.... this includes emails, telephone calls etc - whether made using employer resources or their own.

Having said that I don't see the problem, I use my works email for *personal* use during the day, but personal use does not include bitching about my boss, distributing porn etc. If you can't be sensible then you probably will lose your job anyway.

Encryption is no protection

[Jez]

> If I was gonna bad mouth my boss, I'd use my
> domain as the email address, and PGP crypt the
> message.

Not enough! The RIP requires you to hand over your private keys if asked to by the Home Secretary (or some designated by him, so realistically any policeman) or face imprisonment.

Frankly it amazes me that Jack Straw can't see the contradiction between passing legislation like the Human Rights Act on one hand, and the RIP act on the other.

Re:Encryption is no protection

[Jez]

Well I'd hope so, but I doubt it. The Human Rights Act means that the cases that use to go to the European Court (which typically took years) can now be heard in the UK courts (hopefully taking only months). However, the HRA does not give judges the power to strike down legislation. So if a case is brought, and the courts rule the Home Secretary used his powers under RIP unlawfully, it won't mean that the RIP act *itself* is unlawful.

Re:Encryption is no protection

[Stonehand]

Can employers ask the police to invoke that authority without, say, the police deciding that a criminal investigation is needed?

Hmmm. Went to the Home Office site and got a 404 for the final version (the 4 August 2000 HTML). Obnoxious, that.

Re:Encryption is no protection

[Kiss+the+Blade]

It will be intersing to see just what effects the Human Rights Act is going to have on UK law. It seems to me that much of British Legislation is built on the assumption that the government is fundamentally composed of good people (stout fellows). This is the tradition that the RIP act comes from - 'okay, it does infringe on peoples rights, but we're British, Dammit! We don't abuse peoples rights by nature' - this seems to be the general attitude.

However, the Human Rights Act comes from an entirely different tradition, that of continental Europe, where they don't trust the government, and with good reason, given their history. This means that the Human Rights act will probably clash will all sorts of surprising parts of British Law, and I don't think this will be a good thing

An example might be in Scotland, where traffic speed cameras may have to be removed thanks to the Human Rights Act.(the idea is that they can identify the speeding car, but not the driver, so it's stupid to prosecute the driver of a car caught speeding)

I'm not saying that I agree with the RIP bill, because it seems to abuse the most fundamental of British Traditions, that of innocence until proven guilty, but I am wary of the different directions that British Law is being pulled at the moment, on the one hand by Jack Straw and his blatantly idiotic laws (bye bye trial by jury), and on the other by the alien edicts and ethics of European law.

I think it's about time we ignored all these foreign infringments, and realised that British Law should be dealt with within it's own traditions as it always has.

Re:Encryption is no protection

[Anonymous+Coed]

I'm Merkin and even then Jack Straw scares me silly. At least his son is a reefer man.
---

Re:Encryption is no protection

[clare-ents]

In the case of speeding tickets from cameras, you have the right to remain silent - i.e. not to fill in the form. Then they have to prove *beyond reasonable doubt* that you were driving.

This is especially difficult if more than one person is licensed to drive the car and more than one licensed driver is in the car at the time.

This is how...

[xtermz]

its always been on military computers. As I look at my monitor right now, I see a big fat sticker that says 'consent to monitoring, use of this computer constitutes consent to monitoring at all times ' etc etc etc. I dont see what the big deal is. Its the same principal in the corporate world as in the military.... you have access to potentially damaging material (if it gets in the hands of the wrong person). If your doing anything to put your org at risk, well then you lose your rights to 'privacy'. also, its _their_ equipment. Thats why I never send personal email from my work box. as far as Web surfing, etc, dont go to any sites that may not shine in yoru favor. use common sense.... ...

"sex on tv is bad, you might fall off..."

Mail to my wife

[JurriAlt137n]

Dear Jane

After having started on my new job today, I'm afraid I have some bad news to tell you. The work I am doing here is very challenging which might cause me to do some real overworking. The fact that the boss is a really nice guy obviously has something to do with this. I seriously suspect him to have been a sergeant-major at least in Her Majesty's service, as the charisma and leadership of this man is unrivaled by any previous employer I have worked for. It seems as though this is the place where I belong. The job I have been looking for all this time. I must stop now, as I feel it is inappropriate to take more than 10 minutes of breaktime a day.

Sincerely yours,
me

Get a laptop and wireless

[sips]

I guess if it's that critical that you send email at work get a laptop and one of those really expensive wireless links and just bulk send all you written email at once.

Re:Get a laptop and wireless

[Panaflex]

Actually, here in the states at least, I use my own computer at work. They can listen in on your system, but you can use SSL instead.

Also, because it is your machine, the only thing they can say is to not bring it to work. Not bloody likely in my field of business.

Pan

Her Majesty's Government doesn't get it

[henley]

The bottom line is that HMG doesn't get I.T. At all. It's sickening really; we have Smilin' Tony telling us we want to be at the forefront of the e-revolution, and then a sickening bunch of has-beans toadying along behind coming up with crap like the R.I.P. bill and this load of old tosh.

The extent of the problem was highlighted on the BBC Breakfast news when the self-styled e-minister Patricia Hewitt said that although yes, the Government was allowing employer snooping, it was only for "reasonable" uses. To paraphrase the good lady "Employers shouldn't pry. We trust them not to go looking at messages that are private". e-minister *blech*. Bet she wouldn't know a website from a kick in the teeth, let alone exactly what barrel of worms she's just opened. "reasonable use only".... nice. Let's see someone get a legal definition of that one; it'd be like nailing jelly to the wall.

What's worse is that Her Majesty's Opposition is just as technically inept, if not more so. I don't mind so much the boneheadedness (hey; I'd make a crap politician so why should they make good geeks?), but I am fed up to the back teeth with smiling baby-kissers telling me all about how great the technology is and how they know *just* how it needs regulating.... Oh, and then hold 1 week unannounced "review" periods for public consultation, then trumpet their spawns-of-satan legislation as "widely approved of by industry and public".

The thought of actually going out and *asking* people what legislation they need (other than the police, of course, who have predictable knee-jerk reactions hence RIP), and *listening* to them instead of patronisingly telling them what they want could never occur to this bunch of rabid style-over-substance image-is-everything inept sheep. I mean... not towing the party line? showing evidence of independent thought? not being "On-message"? Heaven forbid.

TOh dear did I really type that load of tripe? Ah well, it's off my chest now. Just scroll down a bit will you? There is nothing to see here. I'm going to go and lie down with a cold towel and maybe lay off the coffee for a bit.

hushmail.com for secure web based email

[cariaso]

Sorry to be posting such a blatant ad, but I've begun to use hushmail.com for just this reason. Its web based, but done in a java applet, so that every byte that travel over my employer's LAN is strongly encrypted. Nervous folks in the UK may find it useful. Hushmail

I'm amazed they couldn't already do it.

[dinotrac]

In the U.S. an employer is fully within its rights to monitor e-mail, phone calls and what have you so long as employees are informed that it may happen (not required on a per-call basis). There are some requirements to stop listening/reading once it is clear that you are dealing with purely personal material, but the cat is often out of the bag by then.

While annoying, it doesn't seem completely unreasonable. One should hope that nobody could stay in business investing the kind of resources to meaningfully monitor everybody's every move.

At the same time, one would like to think that employees who threaten others, conspire to steal, etc. could be monitored and apprehended.

Privacy in the US and Email

[Leimy]

In the United States we have basically established that email is the property of them employer. It is basically to be regarded in the same way as any other tool you would use. At work you are part of the company machine and all that matters is company privacy. In the home you are an individual and have more rights to personal privacy as well as family privacy. This shouldn't be seen as employers snooping into private matters. To every thing there is a season and work is not the time for personal privacy and concerns. :)

Re:Just encrypt e-mail with a proprietary algorith

[Black+Parrot]

> ..and make decrypting it a violation of the DMCA

Content-Type: exttay/yptocray; arsetchay="us-ascii"

Hi Sue. How's work today. Mine's a real itchbay, so I'm idinghay down at Jim's office, and just kind of uckigfay off instead of trying to fight the ullshitbay that it takes to get anything done around here. My new boss is a a real oronmay, and I'm "this close" to telling him to isskay my ass. I'm going to brush up on my resume tonight, and get the hell out of this itholeshay.

How 'bout an afternoon quickie? I was going to eaksnay out early today anyway.

Uh... shells, people.

[fade]

ssh tunnels to a shell outside the employer network. They can't monitor what they can't read, and they can't seize what you don't have in your possession. -f

Re:Uh... shells, people.

[...+James+...]

of course they could just block ssh at their firewall and put an end to that real quick...

Re:Uh... shells, people.

[Tassach]

Who says you have to run ssh/sshd on port 22? On the external machine, run 'sshd -p 80'. While it is possible to set up a firewall that examines traffic at the presentation/application layer to be able to distinguish between a http and ssh, rather than doing simple blocking at the session/transport layer, in practise this would not be feasible except in the most security consious enviornments.

In most circumstances, your privacy will be safe due to the ineptitude of your cow-orkers. Even if your network administrator is an uber-geek, just find out what he uses to secure his email.

Re:Just encrypt e-mail with a proprietary algorith

[arivanov]

.and make decrypting it a violation of the DMCA.

Irrellevant. It's UK. The RIP bill actually specifies that taking measures to intervene with decryption for monitoring purposes is a crime. If you are asked for your keys you must hand them off.

Re: Kenny

[EnderWiggnz]

Dear sir,

This is to report that "those bastards" have killed Kenny. I know that this is unusual for children to be repeatedly killed and brought back to life each week, but in this case, we thought in unavoidable.

Sincerely,
Bryan Boytano

tagline

New Labour? - New Stalinists more like

[NTSwerver]

Nice one Mr Straw!

It is now possible in the UK to get locked up for two years for failing to provide a key to an encrypted email (for example), even if that key has been lost/forgotten.

The UK is heading back towards the Dark Ages and I want no part in it.....now, how do you get one of those Green Card thingys?....

----------------------------

The Ludicrous Thing is . . .

[MightyMicro]

This resulted from a misguided attempt to give employees the right to email privacy in the workplace. This caused such an uproar from employers (like me) that the government had to reverse the legislation. Employers pointed out that it's *their* email system, not the employees, and that they have no right to privacy over snail mail that they send on the company letterhead.

And now the best bit: the UK government has given itself the right to read *everybody's* email by forcing all major ISPs to instal interception equipment. How is that for good, old fashioned, British humbug?

Taco's solution

[Fervent]

I guess I just don't see it. If I was gonna bad mouth my boss, I'd use my domain as the e-mail address, and PGP crypt the message.

Except if they were monitoring corporate traffic. Then it wouldn't matter whose domain you were using.

Encryption? Just use traffic analysis ("Hmm... it appears Rob is sending email through his own domain, instead of the company's domain. Why?")

Re:Taco's solution

[maddogsparky]

CT: "If I was gonna bad mouth my boss..."

So do we all need a private domain to rip on ourselves? ;)

Re:Taco's solution

[Fervent]

I have one on both sides of my Windows2000/Linux box. If anyone needs help setting up their own... :)

Re:Just encrypt e-mail with a proprietary algorith

[Black+Parrot]

> Content-Type: exttay/yptocray; arsetchay="us-ascii"

> How 'bout an afternoon quickie? I was going to eaksnay out early today anyway.

Well, my usbandhay, whom you refer to as your oronicmay ossbay, is taking the afternoon off, so we can't oitday here this time. How 'bout if I just come to the office, and we'll give the old oomclosetbray a try?

This goes way beyond employers, folks.

[websensei]

RIP authorizes employers to monitor employee emails, yes, but the scope of the bill goes far beyond snooping on dimwitted employees who haven't the sense to use discretion on the job.

This is from the Guardian Unlimited
(links, info on http://www.fipr.org/rip/index.html)

"...The RIP bill will make the UK the sole G8 economy to allow state access to decryption keys....."

So those suggesting PGP are SOL.

In addition, RIP

"...allows for the interception, surveillance and disclosure of journalistic material without prior judicial authorisation. As it stands, a source may be identified and compromised or action taken to prevent the flow of information without a newspaper even being aware of it, still less being able to challenge any applications for authorisation....."

Freedom of the Press (including its ability freely and privately to communicate with its sources) is a much more serious matter than Freedom of the Employee (to slander his boss, reveal corporate secrets or merely waste company time and bandwidth).

So tell me,

[JurriAlt137n]

how often did you have to do latrine-duty because the serge thought you were Slashdotting on the job. Nothing personal, just curious.

Re:So tell me,

[xtermz]

latrine? never used one, i go to the restroom ....being as though im not military, im a contractor......duh

"sex on tv is bad, you might fall off..."

Re:That's about as encrypted as the CueCat's data.

[AFCArchvile]

I was thinking of an insanely complex algorithm, with key upon key upon key upon key upon key. And the keys themselves are polymorphic, keyed to a specific time and day (by the Julian calendar), etc., etc.

You could use PGP but it wouldn't help

[PhadeRunner]

If I was gonna bad mouth my boss, I'd use my domain as the e-mail address, and PGP crypt the message.

You could but it wouldn't help matters. The RIP bill makes it illegal to encrypt things without registering your private key at a "trusted" third party key escrow agency. Claiming to lose your key if you don't won't work because it is up to you to prove your innocence not the powers to prove your guilt. You can face up to 2 years in jail it you have forgotten your private key and cannot prove it.

I for one will be moving all my email and crypt offshore and will be reading it over one-time encrypted channels such as SSH/SSL. I suggest anyone else who uses crypto in the UK to do the same. They can't do jack about it if its not on UK shores.

Sealand (Haven Co) anyone??

Re:You could use PGP but it wouldn't help

[henley]

The RIP bill makes it illegal to encrypt things without registering your private key at a "trusted" third party key escrow agency

Nope. No cookie for you. Key Escrow *was* in an early draft of RIP but was removed.

It is, however, illegal (carrying a penalty of 2 years chokey) not to hand over any keys when required *whether in your possession or not*.

Here's what *I* don't get

[OlympicSponsor]

Why aren't these people being judged on their productivity? You pay them X dollars (or pounds, in this case). They produce results worth Y. If Y is greater than X, they are an asset. If Y is less than X they should be fired. (Alternatively, you could say "Your Y is less than X, we will have to fire you if this doesn't change in 3 month" and let the employee decide whether to bump up the ol' productivity).

(Don't bother bringing up "porn == sexual harassment" because that is orthogonal to tracking and mail-opening)

Now, I realize that tracking an employee's worth in actual dollar figures can be difficult, but any manager worth a damn knows if she is getting bang for the buck out of her employees. Telling an employee that he should spend his 15 minute coffee breaks in the break room reading a book as opposed to emailing his wife to complain about his cow-orkers is just micro-management.
--
An abstained vote is a vote for Bush and Gore.

Someone else reading your email...

[brianvan]

What's the problem here? Does it matter really if your boss or the government is reading your e-mail? After all, I'm already reading it!

Yes, I know the results of your purity test! I know that you subscribe to half of the ZDNet Newsletters out there! I saw that you got a new login name for the Stileproject forums! I know that you got a e-mail receipt from "Internet Billing Company" regarding your "new subscription"... and that you did it during work hours!

By the way, that sick, sad love letter you sent to Jacquie from electronicwhore.com? I know your girlfriend wouldn't like to see that! (Judging from the nasty response you got back, I see Jacquie wasn't too thrilled about it either)

You see, at least the government or your company won't extort you if they read your e-mail...

Leave $200,000 in the white mailbox under the Cooch's Road bridge by 10pm Wednesday night and I'll THINK about keeping my mouth shut...

Re:Someone else reading your email...

[buttfucker2000]

Mod this guy down. He's karma whoring trying to be funny. Posts like this should be posted as AC.

Re:Someone else reading your email...

[brianvan]

actually, I forgot to check the anon box...

Then again, who said I was gonna get any karma out of it? I was actually moderated DOWN... which I assumed was going to happen. (it's not on topic enough to be modded up)

Besides, I still have my plus 2 (which I'm disabling for this post) so it's not as if I need to karma whore.

goody goody. now your karma is mine! (when I get my mod points back...)

/. Usage

[Sleekit]

I wonder how many .co.uk hits /. will loose ;)

Re:/. Usage

[Soruk]

I wonder how many .co.uk hits /. will loose ;)

According to any official web log my machine has never browsed outside the organisation's localnet. :-) /. sees this post coming from my external shell account, which I'm using as a web proxy and the far end of an SSH tunnel...

Re:/. Usage

[titus-g]

yup it's a bugger for sure.

Now not only can I now monitor myself, but I'll be forced to fire me as well.

Re: Kenny

[billybob2001]

Can I say RIP?

And no that is most definitely not off-topic, on either count.

Only if they know how...

[brunns]

My bosses won't be monitoring my mail - they wouldn't know how. They are all too stup...

£^(*&%%$£&*^^ - Carrier lost...

Who draws the line, and where?

[heikkile]

Many have said that the companies are supposed to be allowed to monitor what they want. That employees should have no expectation of privacy when using company equipment. To some extent I agree. But then again, how far is reasonable?

If I receive a personal phone call from my girlfriend, is it fair they listen? Is it fair they inform my wife, if she works in the same company? Or if not? When I take a break and use the corporation toilet, is it fair they videotape everything? Run chemical tests on the urine I pass there to monitor my stress levels? To monitor drug abuse? To screen for markers of inherited diseases or tendencies? If one day they get this mind-reading machine, is it fair to read my mind to detect if I am about to leave? about to be unhappy with the company? think private thoughts on "company time"?

is this just in the UK?

[IRNI]

I worked for a company a while back in Louisiana and they read everyone's email. I jokingly drew a picture of our HR guy as hitler with the nazi uniform and sent it to a co-worker... i was later informed that my mail was inappropriate by the HR guy and he demanded an appology. So is this just in the UK? Is it illegal here in the US?

How about some worthy UK Internet legal action?

[AFCArchvile]

...like shortening the TLD of sunsite.doc.ic.ac.uk to something a little easier to remember?

Re:How about some worthy UK Internet legal action?

[MightyMicro]

Er . . . well you remembered it. Besides, what's so difficult about sunsite at department of computing at imperial college, academic, united kingdom?

See also ist.co.uk for imperial connections.

Re:How about some worthy UK Internet legal action?

[Soruk]

...like shortening the TLD of sunsite.doc.ic.ac.uk to something a little easier to remember?

Try sunsite.org.uk.

But are they registered?

[jd]

Unless the company is registered with the Data Protection Registrar

AND the employee specifically authorises the company to store their personal data on the monitoring computers

AND the employee specifically authorises the use of that data for monitoring purposes

AND the employee has full rights to know WHAT is stored, at ANY time

AND the employee has full rights to ammend or correct data that is stored, at ANY time

they would be breaking the law to monitor their employees e-mail. I'm not exactly keen on the idea that employers have the right to snoop on employees - whistle-blowers need protection more than corporate executives - but provided the DPA is given sharper teeth to tackle abuse, I think that this might not be such a terrible thing.

(It's only an invasion of privacy if the DPA is essentially rendered worthless for this. You always need checks and balances, and the DPA is the only check your average Joe Bloggs has, right now, to handle computer misuse by corporations.)

separate email account

[peter303]

One for business- open to your bosses;
One for personal.

What then if you read your personal account
on a work computer?

Phone calls

[GutterBunny]

If I call my wife from my work phone to check in on my family, should my boss be allowed to listen in? It's their phone.

same issue

Re:Phone calls

[Bug2000]

Why don't you use your mobile ?

Everyone can read your email

[CharmQuark]

I don't think this changes much. Email is generally plaintext, and is extremely vulnerable to sniffers. Everyone should assume that their unencrypted email is public, their encrypted email is somewhat less public, and not say anything that would get them in trouble. Not doing so has landed many people in very uncomfortable situations.

As far as employers reading email, this has been the de facto case in U.S. for a long time. As has been stated before, the servers are the employers, the software is the employer's, they have control over the all data that passes and is stored on those devices. It may suck, but I don't see the realities changing any time soon.

When I did personal email on a corporate machine outside of the corporate network (i.e. a laptop at home), I used my personal ISP. Not a free email account that one logs into through the corporate ISP, but a bon fide personal ISP. I don't think one can complain about being caught using the corporate ISP for net sex at home. It is also important to use an email client in which one can quickly change between email accounts. This is one of the main reasons I stick with Eudora. I get to choose the account I will use with each outgoing message. This may not seem important but with many ISP still not as secure as they should be on their outgoing mail, it is useful. I know many people who use Outlook and the corporate ISP in an effort to save a buck. This is certainly a false economy.

Re:Just prepping up for the future...

[ichimunki]

This law doesn't need to be passed in the US. US employers pretty much already have this right. In fact, the law in the United States seems to support business in depriving you of what would otherwise be your civil rights. Some employers already engage in search and seizure of actual persons and personal belongings. Many employers require that you submit body fluids for testing. Video surveillance of employees is rampant (and is often done covertly, just as much as video surveillance of customers is done-- in fact, monitoring one often makes it trivial to monitor the other). Employees seem to be able to deprive you of your ability to sue the company by requiring "mediation" for all disputes. They frequently deprive employees and contractors of their ability to build a career through dead-ending tactics like non-compete clasuses.

I fully recognize that civil rights are about government and not business, in fact that's what I'm complaining about (such a myopic view of rights in modern society), so please, no flames about the semantics!

School.

[jimbix]

At my school (which my parents pay a lot of money to send me to), they have banned web mail access, and force us to use the school exchange server. The admins then read our mail if there are any swear words, teachers names etc mentioned. So is this a violation of our personal privacy? Especially since we are not allowed to use personal, non-school accounts. However, I wrote an outlook vba plugin that encrypts text in 40 bit encryption based on a passphrase. Now none of the messages are picked up by the admin.

Re:How is it different?

[aziraphale]

Suppose I post mail bombs during my lunch hour. Put my stamp on them, but put the sealed parcels in the company mail basket. Now there are company employees and equipment involved in committing a crime. Does the company have a privilege to stop me doing this? Oh, I think so.

I would hope that the employees handling that mail were allowed to say 'hmm. This parcel's ticking. Maybe I really ought to tell someone about it'. The personal privacy argument is that it's none of their business, and I should be allowed to get on with it.

If there's something you don't want your employer to know about, don't use the company's resources. Don't put your letters to the STD clinic in the company mailbasket. And don't use their computers for e-mails they wouldn't approve of.

Re:Just encrypt e-mail with a proprietary algorith

[jakbal]

I see lots and lots and lots of people saying
"Hey, you're on your companies cpu, network, and time; you shouldn't be doing this anyways!"

...and to those people I ask: Are you at work?
(I'm on lunch break, personally)

hey, just curious

Thought PoLiCe

[bushboy]

This smacks of nothing more than blind paranoia.

It's actually Facist - like reporting your neighbour to the cops if you see 'suspicious behaviour'

Anyway, I think the office workers will make there own rules anyway - they always do !

Cultural issue

[mirko]

I am married and I communicate through email with my wife.
We happen to exchange, say, 3 or 4 mails during the day. which is not that much.
We consider it private and would be quite pissed off if anybody decided to monitor our conversations, even though they remain "soft" because I am here at work and not prepairing tonight festivities.

I admit English accept this rule, because they're so.
But I take this story as a warning not to accept my next job in England because if I am considered as brilliant by my colleagues, I also admit I use the corporate network to coimmunicate a bit while working. It is necessary for me to swap between tasks.
I then should be considered as somebody who's working habits are shocking ?
what about my work, what I am here for ???

If this law was about to pass in a Latin country (France, Italy... even here, in Switzerland) most people would refuse it because I am far from alone in this case.
--

Re:Cultural issue

[mirko]

You don't seem to understand the point : even though I know this *is* possible, I don't want it to be considered as *legal*.
I want to have the right to contest such practices.
--

It's the "gimme" generation

[hawk]

Why, how can you possibly not understand this. The computer is theree, therefore I'm entitled to privacy. In fact, I'm entitled to have my employer provide a computer to use for my personal matters during working hours. Not having one just isn't *fair*.

Furthermore, my employer has absolutely no right to question what I do with its property that it provides me. It's not like it has any right to control the use, nor that it amy get sued for my use of company property.

Why do they think I'm here? to do stuff for *them*???

Furthermore, I demand full privacy screens to protect me from them
monitoring me . . .

*********

Given that the employer has absolutely no obligation to allow personal use, there's no privacy issue. Personal use is only permitted on these terms. Don't like them?--demand your money back.

hawk, esq.

Re:It's the "gimme" generation

[Scooby71]

A couple of points.

In the UK the employer does have an obligation to provide a phone, free from monitoring, for personal use. This is in recognition that people do need to take care of personal business in working hours.(For Americans who see any employee rights as an affront to the sacred cow of free enterprise, I have never seen a complaint from a business that this is unreasonable)

Email is becoming widespread, but many people do not have access at home, therefore use it at work. In moderation this will have minimal impact on effectiveness, but personal email may contain information that you would wish your employer not to know - that job offer, or that test for a serious disease.

Yes, you should use other methods, regardless of the legal status, but this enshrines the employers right to snoop.

Re:It's the "gimme" generation

[ColdGrits]

"In the UK the employer does have an obligation to provide a phone, free from monitoring, for personal use"

Umm, no they don't. Kindly point to the relevant piece of legislation - what's that? You can't? I wonder why...

wire tapping

[Merlinus]

Just because it would be stupid to bad mouth your company using company e-mail doesn't make it right for them to snoop on you. This is no different than if it were OK to wiretap our work phones. This kind of legislation moves us closer to a reality where we are all slaves to our employer - where everything we think or do is not our own.

reality check...

[m.o]

When I first worked for a big financial company, I found out that the contract I signed warned that my boss could read my e-mail. I was slightly worried, went to him, and asked about it. He started to laugh and couldn't stop for like 5 minutes. I asked what was so funny, he said that if in addition to his 80-hour workweeks he were also spending any amount of time reading his employees e-mail instead of drinking beer or going home to his kids, he should've been shot for being an idiot...

So stop being so-o-o paranoid. Plus, you can always use yahoo or even your cell phone to send e-mail, so what the fuck is the big deal?

My thoughts.

[mindstrm]

After reading some of the posts.. here's a thought.

Someone brought up the point about personal snail-mail at work. Your employer does not have the right to open your mail, so why should they open your email? Well.. here's why, although a bit abstract.

There is, due to long-standing law, as well as the fact that something is in a sealed envelope, a reasonable expectation of privacy when you send mail in the post office. (Recall, if you sendt a post card, with no envelope, there is NO expectation of privacy; anyone can legally read it.)

The internet at-large is basically a *public* network. Yes, it's 'public' in a different sense than we usually use, but the fact that you have no real contorl of where your data goes after it leaves whatever you DO control.... that makes it public. THat, coupled by the fact that you don't know the policies of every network your message will pass through. Sending unencrypted mail ils as good as sending a bloody postcard! Yes, you can be reasonably sure the whole world cant' read it, but anyone who happens upon it legally CAN (the postman, your boss, the guy in the mailroom). This equates to things like: The IT staff, your boss, etc...).

Think about it.
If your boss wanted, he could say 'I want to see ALL snailmail coming into the building. Now.. he *CAN*, I believe, do this. He cannot make you open your mail, but he can see the volume/where the stuff came from. After all, the mail was addressed TO HIS BUSINESS.

Use encryption. Seriously. Otherwise, it's like complaining about people using scanners on your cellphone calls (well, the US *DID* legislate against that, funny enough> Canada didn't.). Canada said 'well.. it's going with standard modulation over public airwaves... what did you expect? No expectation of privacy'. Of course, if it was *encrypted*, there is an expectation of privacy, and a scanner that could decrypt it may be illegal.

Re:My thoughts.

[ChaosEmerald]

What you're saing here just scares me in a way because of how similar it is to the DMCA. If you have a "sense of privacy" then it is illegal to break that. Isn't that exactly what the DMCA says? If the company has a sense of privacy over CSS then breaking it is illegal. It's still a form of communication. Or are there different laws for buisnesses in this situation then for individuals?

Oh well, you can't have your cake and eat it too...

Re:My thoughts.

[mindstrm]

No.. not the same thing at all.

Recorded music/media/whatever, the issue is all about copyright, NOT about privacy at all. They may have a sense of ownership, but that's a completely different beast.

Traditionally, laws regarding mail (and other communications, such as cellular phones) were based around whether or not the parties involved had a reasonable expectation of privacy.

ie: Conversations and eavesdropping. If I'm in the middle of a field whispering to my friend, and you use some sort of listening device to amplify my conversation so you can hear it, you would be doing an illegal act.

If I am in the middle of a field yelling at my friend, loud enough that you can hear it with your plain ears, and you use some sort of device to amplify it a bit and record it.. you are NOT breaking the law. I had no reasonable expectation of privacy if I was yelling.

Same used to be (and still is in Canada) with cellular phones. It's not whether you had an expectation of privacy, but whether you had a *reasonable* expectation of privacy. Yelling loudly and saying 'I thought nobody was around' is not reasonable. Taking steps to make yourself not heard IS reasonable'. As with cellphones.. transmitting over public airwaves in the clear (the airwaves are *all* public), even though you may be ignorant to the physics of it, does not give you a reasonable expectation of privacy (under canadian courts, anyway). You are broadcasting something that can be picked up by any capable radio receiver.

Copyright has nothing to do with privacy. The DMCA (not that I'm defending it) is about copyright. Making it illegal to break a copy protection mechanism is NOT equal to the act of violating a privacy protection mechanism, though both MAY use encryption.

This takes me back to the BBS days..

[BilldaCat]

I used to be a sysop of a WWIV board and I would read user's mail all the time. My system, my phone line, mine mine mine. Same situation applies here.

//MAILR is good clean fun. :)

They'll RIP the keys out of you

I guess I just don't see it. If I was gonna bad mouth my boss, I'd use my domain as the e-mail address, and PGP crypt the message.

The whole point of the RIP Act is that they can demand that you decrypt on demand from law enforcement. Failure or refusal to do so is an offence with even greater penalties.

of course a company can read thier email system

[CmdData]

Any company's email system belongs to that company and therefore is the sole property of that company. The bottom line is that you never send or receive personal email on a company's time. That's not what they are paying you for. They pay you to do what's related to your job. I'm head of security for the company I work for and if I want to monitor an employee's email I can do so because everything inside the company is the property of that company and not the individual end user. We have sniffers placed throughout the network on every subnet that listens for certain data to come across. Our Exchange servers and Internet connected SMTP servers also monitors all email for content. We use Trend Micro's VirusWall with Email content management plug-ins for stopping spam and other email security violations. We are located in the US and our legal staff have already confirmed that Companies can deploy content management and control over their email systems and can also read any email that passes through the company's network. Also we don't need employees wasting time doing personal things at work and we don't need them using up Company's resources since the resources are costing the Company money.

Its been like this in the US forever

[KarmaBlackballed]

It is no big deal. Just common sense. If someone pays your salary and provides you telephones(e.g. voice mail) + computer equipment the use of that equipment is their business and the use of your (time during work hours) is their business.

I don't employ anyone, I just live under these conditions and they are okay with me. When I want to badmouth someone, I do it on my own time from my own PC.

whoa!

[brad3378]

UK Employers May Read Employees' Mail

When I read that headline, I first thought it meant that it was refering to snail mail.

Apparently it only refers to e-mail.
(Or should I say "email" ?)

;-)

So what?

[0xdeadbeef]

Is there anyone else who really doesn't give a hoot about email monitoring? If your company respects you, they're not going to be a snit about personal use of email and web surfing, unless of course, you're obnoxious about it. If your company acts like the Gestapo, well, find yourself a new employer. It is the company's resources, after all. And if you're divulging secrets or bad-mouthing other employees, well duh! you moron, of course you're going to get smacked.

I myself keep job inquiries in my inbox, just as a warning to any snoopers: mess with me, and I can walk in a heartbeat.

What too many people seem to forget though is the imbalance of power in this situation. Your email is suspectible to snooping by upper managment, but how many of you have the oppurtinity to snoop on their personal doings at work? And before all your submissive lap-dogs whine about "it's not your job to know what they're doing", remember that a great many wokers in the tech sector are stockholders in the companies for which they work. I have just as much desire to see the company succeed as the suit with the inflated salary, and I have a right to know that he isn't wasting my money.

But alas, that's the corporate republic for you. It's feudalism, not democracy.
--

Re:Let's be realistic....

[TomV]

My advice to the limeys. We could always use a 51st state. Join us for some real fun, and much better food

OK, no problem.

What's the population of California, 30 million or so?

There were 60 million of us at the last (1991) census, so given the influence of CA in, e.g. and topically, Presidential Electoral College, or the House of Reps, we'll be your very own 900lb Gorilla of a State. Just try electing a non-British president once we're in...

Total domination of one remaining superpower. The Empire Strikes Back?

TomV

Re:It's been like this in the US forever

[PigleT]

Agreed, sort of. It's long been traditional since I grew up reading unix sysadmin books by O'Reilly that employers should be able to track stuff, certainly in the case of abuses of the system.

Where all the modern fad of calling it a breach of privacy has come from, I dunno.

How much mileage is there in the view that "freedom of speech is fine, but abuse it and lose it"?
~Tim
--
.|` Clouds cross the black moonlight,

That's right! Nail the bastards!

[OlympicSponsor]

They are using our bandwidth to send personal mail--so we should be allowed to read it!
They are using our phone system to make personal calls--so we should be allowed to listen in!
They are using our parking lot to park their cars--so we should be allowed to search them!
They are using our plumbing to take personal dumps--so we should be allowed to watch!
They are using our lighting to illuminate personal activities--so we should be allowed to monitor!
They are using our air molecules to vibrate with personal spoken messages--so we should be allowed to eavesdrop!

All of these things are "environmental". Presumably there is value to the company to provide them to all employees. If an individual employee is being unproductive, fire him. There's no need to read his mail, search his car or test him for drugs. If the mail system (or parking lot) as a whole is costing more than it provides, de-install it. There's no need to read everyone's mail or search everyone's cars.

Remember during the Olympics and how everyone squawked about how the FBI was reading the email from the kiosks? But the kiosks belong to some company or government--can't they do what they want? I'm using my ISP's bandwidth, does that mean they can cc all my mail to the FBI? No, dammit!
--
An abstained vote is a vote for Bush and Gore.

Hi, there's no protection in the USA

[small_dick]

In the USA, land of the free, home of the brave, the constitution, etc...employers have the right to scan all the transmissions on the wire, read your emails, whatever.

Just thought you'd like to know.

The last place I worked didn't delete ex-employees mail accounts, preferring to harvest and read what people sent them months/years after the employee left.

Re:Hi, there's no protection in the USA

[WillSeattle]

Very true. We in the USA have much lower protections than exist even after this law goes into effect in the UK.

We sold our privacy rights to corporate interests and they gave us promises of shiny baubles. And now our government tries to arm-twist nations that have higher privacy rights than we do into "opening the market" and reducing their consumer and employee privacy protections.

Re:Let's be realistic....

[Mr.+Piccolo]

Why would they want to join our sorry nation? We think Miller Lite is beer, after all, when it's just slightly malt-flavored carbonated water.

Re:Carrier

[brunns]

like the average /. reader knows what the carrier is

It's a kind of Pigeon. See, I do know how email works!

Probably Illegal

We also signed up to the European Bill of Human Rights recently which should offer the right to privacy. So the RIP bill may be illegal and is probably challengeable in court.

Re:Just encrypt e-mail with a proprietary algorith

[Nohea]

I work at a small company, so we've got better things to do than spy on everyone's communications regularly. However, i'd like to know how much encrypted communications are allowed at bigger corps.

Is encrypted e-mail allowed? SSH tunnels? I've heard of a lot of big corporations don't allow a lot of certain web access, including Yahoo mail, etc.

Boss Profile

[nigelb0]

So what sort of bosses like to see what their underlings are up to. Do they themselves believe they should be monitored also?

A while ago our head salesman logged on to check his shares, only to find a porno site had taken its place (temporarily). Those photos were in his cache whether he liked it or not, and our proxy logged the accesses. As it happened we were working in a small office and we all had a good laugh about it.

How would things be in a larger organisation where the monitor may be unable to see (or appreciate) the context? Would it matter if our head salesman was a junior instead?

Re:It's been like this in the US forever

[KarmaBlackballed]

Not sure I can agree with the concept of "abuse it or lose it" when it comes to freedom of speech, but then that is an unrelated topic. The issue here is whether an employer can track what you do and say with their equipment or on their time. I don't have a problem with that and it sounds as if you don't either.

Where all the modern fad of calling it a breach of privacy has come from, I dunno.

Superficially the claim feels valid. But as the courts are showing, it does not stand up to close inspection. I think this fad comes from the entitlement thinking that people can do whatever they want whenever they want and misusing company equipment or embezzling time are not considerations. :)

It's becoming so complicated !

There are things I do not understand.

If I want to say that my boss is a stupid idiot, can't I do that?

If I say that he'll kill me or that I'll kill him for the extra work he is giving me, I'm NOT saying that I or he will died. This is just a way of expressing my frustration.
Such comments are not intended to hurt the feeling of my boss. They are not even directed against my boss. They are expression (=release) of something that I had into me.

Anyway, this is a private conversation between me and someone else and should not be taken out of context.

I beleive I am the right to say what I want if I do not offend publicly someone, if I do not offend the person receiving the email.

Lawyers may say that this is not how things work, but I do not care what lawyers can say.
They should think a bit and realize that there are many more ways to hurt and insult people in a civilized and educated way! People that really want to hurt someone else would use this subtle lawyer-proof way and not a more direct one.

Talking to HR about your incompetent boss

[judd]

At one workplace, where I was a union representative, there was an issue where someone was being victimised by their immediate supervisor. The HR department were quite enlightened, and were pleased to have evidecne that said boss was responsible for the alarming rate of resignations. It was a large site with open-plan offices. Private phone calls to HR were impractical. Note, all parties concerned were workers at the same organisation.

In general, a private channel is often very helpful in intra-organisational disputes.

Stephen

Not an issue for the careful anyways

[KarmaBlackballed]

A cautious person does not leave embarrassing voice messages or send inappropriate emails from work regardless if the law says the employer cannot look because technology enables them to look anyhow.

Whether their lawyers advise them to keep the peeking quiet is secondary to the fact that they may find things you don't want to share.

Martin Spammer?

[po_boy]

it's no wonder that a guy named "Martin Spammer" would be concerned about his employer reading his email. He must be the source of all those "Make money fast" mails I get.

(Sorry, Martin. I know it's "Spamer", and you probably don't even spam people, but I couldn't resist.)

Re:Let's be realistic....

[Kiss+the+Blade]

I think if it ever came to pass the Americans would be very aware of this. The solution would be to have Britain join as 5 states: Northern England, Southern England, Scotland, Wales & Northern Ireland.

What would be good, IMO, would be to pull out of the EU (but remain in EFTA) and join Nafta. The treaty of Rome states that we are not allowed to make any trading agreements with countries outside the EU, in contravention of the Geneva Convention, I think, so this would be necessary. Still, damn the undemocratic, protectionist, backward EU! We should become a globalist looking power.

It's NOT just work email! (repeat: NOT)

[JamesGreenhalgh]

Lose 2 marks for bad reporting again, somewhere along the line.

This bill does not specifically give UK employers more access in terms of monitoring their staffs email.

This bill gives the UK government + police services, access to monitor *ANYBODYS* email, for any reason, even if you are not under suspicion of having committed a crime. It's not even email either - they can demand the ISP feed traffic in general their way.

If it was just work mails I wouldn't really care - it's their bandwidth, but the fact is that the RIP bill is in fact there purely to give the authorities unprecedented power to intercept the communications of the general populace, to demand their decryption keys (or face prison), and other such lovely fluffy things. It's big brother, approved by a government with no clue whatsoever.

If anyone offers me a job in the US, I'll move..

Encryption is no protection from RIP

[Danj2k]

>I guess I just don't see it. If I was gonna bad
>mouth my boss, I'd use my domain as the e-mail
>address, and PGP crypt the message.

PGP encrypting it would do you no good, RIP gives the government powers to demand that you hand over your encryption key(s). And if you don't comply, or you've lost the key, or something? 2 years in the slammer.

There's an interesting article about RIP and what people can do to avoid it at http://www.fipr.org/rip/RIPcountermeasures.htm

Video camera on toilet

[DVega]

Users need to realize that the computer they use at work belongs to their employer, as does the network, the internet connection, and the service to keep it running.

And also the toilet belongs to the employer. So don't be surprise to find a video camera on it.

Try Hushmail

[u02sgb]

I was worried about this for a while (thinking about leaving). Simple solution, use www.hushmail.com. Alright for the super paranoid there's still keystorke monitorig, but come on.

My concern would be...

[geobaker]

...not that I am say things about my employer, etc., but that a quick personal note regarding, say, my weekend plans, will be read. Lucky for me, my company wouldn't.

However I have a friend who is afraid to send an email saying "I had fun at the movies Sunday, let's do it next weekend too" because her company has made such a big deal about personal email on company pcs. That company already blocks all web access (so no webmail), and put every new hire on probation for 6 mos. She's almost done with that, but she's still paranoid.

and yes, she should get another job, but it isn't that easy for her. And I am concerned about the attitude of companies that basically assume that their employees are going to screw around on the job such that they block web access and monitor emails to 'keep employees in line'. That speaks to something being wrong in management right off.

hey Taco

[splinter]

It's all fine and good for you to use your own server and domain, but there are millions of other internet users who can't afford or will not get that luxury. Are their rights to privacy less important than the rights of the internet elite?

Why go to work to do your own personal stuff?

[verbatim]

You go to work to do what?

I hear an AC in the distance, calling out... WORK.

I agree that it _sounds_ like invasion, but you have to remember that you, the network, the computers, etc, are all assets of the company. The company has a right to know how its assets are being used and has the right to control how those assets are used. A reasonable manager may allow some non-work related activites (helps to reduce stress, makes people happier, etc) but they have the absolute right to know whats going on with their property.

If you don't want your manager reading your e-mail, talk with him/her first. If you aren't happy with the result - work elsewhere and don't bitch about your loss of privacy.

PEOPLE, afaik this is not the government coming into your home for information or allowing them to peruse your personal e-mail. It simply lets buisnesses control what goes on at work.

Now, on to the encryption thing. I don't agree that you should be forced to divulge encryption keys for any reason except if you are using buisness resources. If you send an e-mail over the compnay network (when you should be working), I believe that the company has an absolute right to know what the contents of that message were. If, however, you are at home and sending encrypted messages to friends or whatever, you should not have to reveal the keys to that stuff (regardless of the subject of the messages).

Just my $0.03 ($0.02+tax)

Verbatim

Re:And

[Baba+Abhui]

Weren't you supposed to be on vacation, impostor?

encryption fails for screen-dump interception

[peter303]

Some of the spy programs operate at tail end of transmission- that is, dump your screen perdiodically, say every 30 seconds. Private accounts and encryption would fail here. This spying is popular inside the home, but may be unwieldy in a company.

Re:NSA everywhere

[peter303]

They always have been.
Send some plain test mail with certain kinds of threats in them and you'll be hearing from somebody. This trivial to do in the current internet.

Don't dial 9 ...

[cah1]

If you want to make a call on company time do you

a) use a mobile
or
b) dial 9 and have your boss foot the bill?

Pleenty of business routinely record *ALL* phone calls. Banks, for example, will record calls so that they have evidence if a trade goes pear shaped.

If you want a private, personal call, use your own private, personal equipment.

If your email can't wait until you get home to use your own equipment (assuming you can't SSH into your account via your work machine) then suck it up and exchange expedience for privacy.

Or go and become your own boss.

Besides which, most companies aren't interested in snooping - they're too busy staying afloat!

Conspiracy.. 8-)

[main()]

It was only a few months ago I picked up a copy of "Professional Manager" magazine or some such drivel discarded on the train. The feature article of which was about the European Human Rights Act and how it was -

a) going to stop public bodies intercepting personal emails
b) going to outlaw public bodies drug-testing employees

And other stuff which basically boils down to caring more about people and their privacy than the dictatorial whims of some corporate or another.

The article did say that these clauses only apply to "public bodies" (implying government-run I guess) but said the term was sufficiently broad for your average "Professional Manager" to be concerned.

How does this fit in with the RIP act? I notice that the Human Rights Act specifies that the laws within are only enforced "unless they are prevented from doing so by statute".

Which, all in all, seems a bit pointless. Anyway, looks like those Managers didn't have too much to worry about... its we "Unprofessional Citizens" who should be worrying ;-)

Si

Consider this...

[catseye_95051]

How would you feel if laws were passed allowing you boss to plant hidden microphoens and cameras in your office? Its really not very different.

Re:Consider this...

[fishbowl]

>How would you feel if laws were passed allowing
>you[r] boss to plant hidden microphoens [sic.]
>and cameras in your office?

Actually, a law would need to be passed forbidding this. It is legal today. Consider
the convenience store with the hidden microphone
and camera? How is that workplace different from
"your office?" How would you, as a lawmaker, word
the bill to make a hidden camera legal in one
workplace but not another?

But what if...

[frog51]

You receive a private email during work hours because that is when it was sent. It doesn't matter that you were actually going to look at it after work - it is on your machine now, so your employer can legally look at it.

This is seriously crap. Luckily I configure/play with the security on my company network so I am vaguely okay.

PGP good, but they can stick us in jail for not handing over our keys. This sucks.

Steganography better - if they don't know we're encrypting, they can't force us to handover keys:)



Frog51

Just use your own stuff

[chainsaw1]

If this is a concern, why can't you just use your own systems? ssh (telnet) in to your own box and use mailsystem stuff there. No files, etc. are kept on your (company owned) computer. And if security is a real concern, do use a mail name/nick that is not obviously you for when the company scans through other people's acocunts you may have been sending to.

The only items you need to do this is a smtp/mail-handler, a domain (check out www.dyndns.org for dynamic IP's) and a 24/7 account of some sort. There are HOWTO's for setting up sendmail, qmail, etc.

Plus, you don't have to worry about a mail quota :).

Phone calls are another good comparison

[SEAL]

At least in the U.S. - phone calls are offered a remarkable amount of protection compared to email. Even if you are at work, your employer would have to jump through a bunch of legal hoops to wiretap your phone without consent.

Of course, you'll notice more than a few companies nowadays (esp on their support lines) - saying something like "To ensure the highest quality service, this call may be monitored". If you continue with the call at that point, you are consenting to eavesdropping.

With email (apparently), privacy protections go out the window. And while I agree that you should be using company resources for company business, it seems like we should try to come up with a common standard for eavesdropping on communications of any kind.

Best regards,

SEAL

HACKING Parliment now Legal?

[gnarly]

Well, if reading your employee's mail is OK I guess this means that all Brittish Citizens, who together employ every Member of Parliment, have the right to read the email of their employees. Not sure the best way to read the email of any given MP, sniffers? Carnivore? Any ideas?

Your body wastes don't affect the business...

[devphil]

...but your email can and will. Your post is hardly a refutation. The point being made is that misusing company resources is wrong; not that you have no right to privacy at work. What you say is completely irrelevent.

Re:Your body wastes don't affect the business...

[ozborn]

Body wastes don't affect business? Many businesses would disagree with you, business who time the bathroom breaks of their employees or allow employee only a few (or no) bathroom breaks during the day. What about urine testing?

Your argument that "misusing company resources is wrong" can be be taken to riduculous extremes. Some companies won't hire or promote women because they might become pregeant, thereby affecting business resources by taking maternity leave. Is this okay? Give me a break.

Re:Your body wastes don't affect the business...

[Nick+Ives]

I dunno, I mean, I know a few people who's employers would most probably like to know about the bongs they hit in the toilets on their breaks. You could call *that* a "misues of company resources". Personally I dont think there is anything morally wrong with having a smoke in the bogs or using email for personal purposes.

I dont think there is much wrong with with an employer wanting to read the stuff that their computers are being used for either. Having said that, I dont think they should be able to take any action against you unless you actually break the law using their systems, so if you happen to use your company laptop to download porn they shouldnt be able to do anything to you....

Moose, brain, mush...

Nick

Massive security hole created by RIP :-)

In the UK we have a law called "The Official Secrets Act". This is a catch all law designed to protect state secrets (and bent officials). With the RIP this Act no longer has any value. For example if I am an employee in a defence company I could have access to information with a high security clasification. Who knows it might be provided by the DOD. If then a person who claims to be an official either from the police or appointed by the Secretary Of State then approches me with a piece of paper that says I am being served with an order under the RIP leglislation. I cannot check if the order is genuine without risking two years in prison (by a court sitting in secret). Therefore I have to:- 1. Hand over the information and encryption keys irrespective of the security classification of the data. 2. I must keep the fact that I have handed over the information secret from EVERYBODY. I cannot tell my employer, the police, a judge, any member of the security services. If I do I can get two years in prison. The net result of the RIP in Britain is not only to make E commerce a joke but to mean that any East European spy (or whatever) can personate a UK official and walk away with any information no matter how high the security rating, whilst knowing that the victim has to keep quiet. Sorry guys all data in the UK is now up for grabs. BTW I have contacted my MP (member for parliament) who initially gave me a standard blurb from the minister. When I brought up the security implications there seems to be a much longer delay in getting a reply. Surly if this legislation had been properly thought out there should be an instant answer!!!! Yet again the UK is a leaky basket for its own and US secrets.

Re:Just encrypt e-mail with a proprietary algorith

[Teun]

The RIP bill actually specifies that taking measures to intervene with decryption for monitoring purposes is a crime. If you are asked for your keys you must hand them off.

But luckily for the inhabitants of this Land Of Big Brother there is a new European law protecting your rights. Of course jurisprudence is not yet available to prevent this gross invasion of privacy. When a company has a problem with an employee they can question him/her, there is absolutely no need for blanket snooping. No wonder the BBC reported yesterday? that the Brits are the most miserable-feeling people in Europe......

Digital Equipment Corporation

[CaptainZapp]

I fondly remember ther good ol' days in the beginning of the nineties.

The policy manual stated that if you snoop around a collegues file system (including e-mail) unauthorized, this was considered snooping in his desk drawers and could lead to immediate termination, no questions asked.

It was the same company that refused to drug test any employee with the exception of people working for defence contractors and the piss tests where required by the US gubynmynt and then only with due notice.

They had set up a couple gay and a couple of AA members only conferences on the huge internal network. I' m neither gay nor do I have too much of a drinking problem. But since it's a save assumption that you had ten thousand of each group working for DEC at that time, I figured this to be an incredible asset.

It was a matter of respect, dignity and trust.

Values that don't seem to carry much merrit when a crappy box assembler with it's main focus on marketing can just buy a piece of computer history and kill it off.

RIP won't lead to any arrests

[pyrotic]

We had a few words to say when the legislation was going through.

http://www.ripserve.com/rip/
Basically, they can't use any of the evidence in court, most of the government's intelligence targets are exempt, and honest companies will end up paying. But at least we get to sniff staff email - I thought that was sysadmin's job. With governments like this... No, it's been said already.

Great, now I can pull the secretaries

[horza]

This is superb, and probably the best reason for running my own company. I can monitor all the secretaries email, find out when they are vulnerable and what their weaknesses are so I can chat them up successfully, and if they let slip any *real* personal details to friends I may even be able to blackmail them into sleeping with me.

As for that civil rights b*stard in my office, if he makes any trouble I still have his email concerning the trip to Brighton, the donkey and the turnip...

Of course, if anyone doesn't like the email-snooping policy here they can always get a job elsewhere. But if we can all get away with it then we are all going to do it. The sucker will never work in this industry again muauauaua.

f*ckedBritain.com

PS It's not *just* the RIP bill that is driving all e-commerce activity out of Britain, the government has a raft of disasterous policies

Missing the important aspects of RIP

[IoT]

Trying to avoid rehashing the arguments of everyone else, the important parts of RIP are:

1) Obligation to surrender encryption keys

2) Obligation for ISPs to install monitoring equipment. (cf Carnivore !!)

see: http://www.fipr.org/rip/index.html

The UK has no history or tradition of freedom of information and first amendment rights. The RIP bill as originally proposed was extremely Orwellian. (The burden of proof was reversed for example on encryption keys - You had to prove that you had forgotten the pass-phrase for that that to be a defense).

The privacy at work issue is a smoke screen IMHO -it's your companies equipment & infrastructure so don't use it for personal use.

P.S. I work for an investment bank and I know for a fact ALL telephone calls (in and out) are recorded and stored for seven years.

P.P.S. The security guys usually have access to all the interesting security videos - usually at 20 GBP per tape :-)

Hmmm.

[shippo]

I live in the UK. I had a boss who did this (and more) 2 years ago.

Every account on the LAN had a blank password, which we were not allowed to change. The purpose of this was to allow the boss access to any email account when he pleased. Security on the network just didn't exist.

What was really annoying was that this was an isolated office network. Email access to the outside world was via a separate PC, situated next to the boss. If we needed to access a web-sire or news for support work purposes we had to do it from home.

Whilst I worked there one collegue had some personal mail delivered c/o the office, as he didn't have a permament address in the area. The boss opened this private mail and read it. I should have walked out then - I was already pissed off by the fact that I'd been standing outside in the rain for 45 minutes, waiting for the boss to turn up to open the place.

I only worked there for 2 days (I'd have not come back from lunch on the second day if I hadn't left some possessions in my desk). It was the work place I'd ever worked at.

Re:It's been like this in the US forever

[PigleT]

> I think this fad comes from the entitlement
> thinking that people can do whatever they want
> whenever they want and misusing company
> equipment or embezzling time are not
> considerations. :)

Agreed. I think "freedom of speech" needs to be justified rather than pulled out of the hat every time something goes slightly wrong.

People will want entertainment. Entertainment is not hacking. Entertainment is a zero-quality plain waste of time, IMNSHO.
~Tim
--
.|` Clouds cross the black moonlight,

Too busy to care

[Kryptic+Knight]

As one of those Network Administrators who is on the other end of the stick (as it were), and who has been deluged in the past few days with users asking me if they are having their email reviewed, my response is..

I've got far better things to do than trawl through your mailboxes.

Of course, anyone who does ask does pique my curiosity, but why do they believe that I'd want to see their latest JPG's of "my 2nd cousins best school friends mother in laws new grandchild".

sigh