Slashdot Mirror
Workplace Privacy Lacking
PaGeN writes: "It's about time. Per today's New York Times, thinking and respected jurists are raising eyebrows at the legal principle that seems to have sprung up overnight: "You have no right of privacy in on-the-job online communications." Judge James M. Rosenbaum, Reagan-appointed chief judge of the United
States District Court for the District of Minnesota, in Minneapolis, expresses surprise that employees should be expected to tolerate "an electronic rummage through their lives." "The present concept permits -- and even encourages - 'Big Brother' searches," wrote Judge Rosenbaum. "... just as an employee does not surrender all privacy rights on the company's premises, so they should not be automatically surrendered on the company's computers."" The column linked above is interesting; you can also read the original paper online.
You appear to be avoiding half the issue.
;)
.|` Clouds cross the black moonlight,
When you're at work, you're still you, you're just on work's premises using their gear. You have to respect *both* halves of `still you' and `their gear', though. This is why it's give and take: the only sensible kind of policy I've seen is one that says `we won't snoop and you won't waste resources'.
There's no need to get all stuck on one extreme ("it's the employer's gear!") or another ("you have privacy rights!") when there's a common-sense fair middle of the road to be taking.
Next issue please?
~Tim
--
~Tim
--
Rushing on down to the circle of the turn
Whatever happened to this bill which would force employers to inform the employees of their e-mail reading policies?
...to distinguish privacy related issues when talking about a corporate network. After all, the only real reason a company will give you Internet access in your office these days is because more and more business applications require it. Therefore companies expect a certain level of usage discipline from their employees.
/. , so i'll be going now...
Of course, I dont know if my boss would appreciate me using my work time to post to
So remember: Excel Spreadsheets are okay. All Your Base/Porn is not.
Attention deficit disorder is a complicated issue, spanning several major... HEY LET'S GO RIDE BIKES!
Sigh ... I guess it's back to those paper-and-staples porn publications when I'm waiting for a client to call!
"Old man yells at systemd"
These kinds of articles aren't even really news, in the sense that corporations will always have the upper-hand in terms of employee "privacy." People need to get used to the idea, and circumvent the problem instead of simply bitch about it.
This is yet another example of why we should require licenses to use computers. Because that way we would not be pestered with idiots like Judge Rosenbaum and silly notions like the "cyber time-out."
This sounds great. And I'd bet that this will dramatically improve Judge Rosenbaum's standing as a with-it, 21st-century judge. No doubt he'll be assigned the next DMCA-related case to surface in his circuit, and he'll be asked to speak on this issue at state bar conventions across the Midwest.
This would be a catastrophe. This lunacy must be stopped before it gains the slightest credibility in any circles, anywhere. (And no, I am not kidding.)
Example #1:
Quick quiz: what's been the big computer story of the week? Right--the SirCam virus. Well, lessee. Suppose you're the network sysadmin for the U.S. Court of Appeals in Minneapolis. You have been infected by the SirCam virus, which is wreaking havoc on your email system (and sending random files from your users desktops all over the Internet). How can you stop it?
"That's a no-brainer," you say. "I just identify the infected machines, isolate them, and remove the virus." Bzzzzt! Wrong! You see--you can't remove that virus from that machine. It's the computer used by a moron circuit court judge who has propounded the theory of the "Cyber Time-Out"--72-hour notice of an intent to search the computer, in which you must specify the exact files you intend to review. (More on that delirious bit of nonsense below.) So for the next 72 hours, after you have identified that the problem is Judge Rosenbaum, after you have identified the specific files that are causing the virus, after you have jumped through the hoops that define "proper notice" (what? he's on vacation? with no phone number?) and after he has had recourse through the courts to prevent that search, you finally get the chance to address the virus.
And what, pray tell, do you do if the yutz decides to get really stupid and insist that he won't let you search the PC, because he doesn't think he has a virus. And what happens if he manages to convince some lawyer and/or a judge to agree with him, and gets an injunction against you?
Example #2:
You are the Vice President and Legal Counsel for a major corporation. Your counterpart at a competitor calls you, and follows up with a document sent by messenger. One of your sales managers has been negotiating for a position at your competitor, and has gratuitously offered extremely confidential information as a show of his enthusiasm for his new employer. (You might think that the competitor would say, "eureka! we have the secret plans!" but it isn't true. The legal consequences of getting caught are horrendous [and can include jail time]. Standard corporate practice is to return competitor secrets as quickly as possible, using publicly-documented methods.)
What do you do? You call the network admins and tell them that you want the bozo's network passwords changed immediately, and you want his machine seized. Who knows what other corporate secrets this guy has handed out?
Bzzzt! Sorry! The bozo in question has a lawyer, and the lawyer has been reading The Green Bag. And the lawyer has read this cockamamie theory about a "cyber time-out" that requires you to a) notify the employee about a search 72 hours in advance; and b) specify the exact files you wish to view. The "Rosenbaum Rule" (coming soon, to a courtroom near you) explicitly frowns on general searches--you can't just go fishing on the fellow's hard drive to see if he's doing something nefarious.
Rosenbaum's Tautology
Beyond the practical problems that I have raised above, Judge Rosenbaum's proposed "cyber time-out" includes a "reasonable" provision that effectively prevents any search of an employee's hard drive at all. Rosenbaum specifies two (really three) tests:
1. The employee must be notified 72 hours in advance;
1a. The employee must be properly notified (and what constitutes proper notice will be litigated for years); and
2. The employer must specify which specific files are to be searched.
That's a tautology: you can't search the hard drive unless you know the names of the specific file you're looking for; and you can't know the specific file you're looking for unless you search the hard drive. Think of the SirCam virus again (or just snooping in the employee's email). Lots of email clients (including Microsoft Outlook, the most commonly-used MUA) permit you to specify the name of the file where mail is stored. If the user changes the file name from the default (say, to "porn_drugs_terrorism.pst") the employer has no way of knowing the file name. And hence cannot properly inform the employee of a search--so the employee cannot be searched.
Is Rosenbaum that dumb?
Ask yourself. Is Judge Rosenbaum really so stupid as to not realize that his oh-so-reasonable "cyber time-out" effectively prevents employers from searching employee hard drives at all? I honestly don't think so. Lawyers get through law school by learning to carefully understand the meaning and implication of every word: and to write contracts (and legal journal articles) that carefully exploit the full meaning of each word. Rosenbaum isn't just a lawyer--he's a judge. He isn't just a judge, he is a federal judge; and he isn't just a federal judge, he is an appellate court judge. He didn't just write this article on the back of an envelope--he wrote it for a legal journal, hoping to promote a new legal theory. His clever little tautology is intentional: you can't search the hard drive unless you know the file name. And you can't know the file name unless you search the drive. (Question: what's the file name on a boot track virus?)
Bottom line:
This is a really, really, really bad idea.
If you don't like it then get your company to change it's policies. By and large most companies don't tap their employees phones because the management would never want their own phones tapped. However, it's easy to spot an employee who is abusing the phone equiment (they are constantly chit-chatting). With computers it's easy to divert them to your own benefit without others easily noticing. For this reason I wouldn't expect companies to change their policies any time soon.
Burris
At the company that I work at, each and every person we hire must sign a disclosure saying the company has the right to read everything they email, monitor there network traffic and listen to there phone conversations. If any of these actions are taken upon an individual, it is recorded by HR. Being the network administer where I am employed, I have had to do the search and seizure of network traffic, internet and lan based and retrieval and review of serveral empolyees email. I can't say I like doing this, besides the fact it is a pain in the ass, I always find out things about my fellow co-workers i really don't care to know about. I think the way the judge is looking at giving a 72 hour timeframe with notice to the employee is a good idea, would allow people to clean up there act a bit.
It is reasonable to expect a certain level of personal activity and communication while on the job. E-mail and web use should be no different.
In this type of situation, an employee complains of harassment/discrimination/retaliation and the company then searchs their computer and finds an email to a sick father and then fires the employee for using the computer for personal use. Or, after the person is fired, they seach the computer and then gives that reason for the termination.
The Supreme court that after acquired evidence cannot be used to justify termination, but says nothing on an investigation being a form of retaliation. That an investigation was done because a complaint have been made.
Maybe everyone should use PGP at work?
Fight Spammers!
It's not your T1 (DS3...)
It's not your router
It's not your firewall
It's not your switch
It's not yout hub
It's not your CAT5
It's not your jack
It's not your server(s)
It's not you computer (laptop)
It's not your mouse
It's not your keyboard
It's not your software (maybe it isn't even your companies!)
None of it belongs to you
They ARE paying you (even if you don't like what they're paying you)
Most Sys Admins don't give a crap if you send your (insert personal contact here) an email or two about how your day is going.
I have a real simple rule for my users. Don't send anything via email that would make a nun blush.
In the world of electrons, 1s and 0s and RECOVERABLE information you have to be out of your friggin mind to expect privacy of any kind!
---
This
personally I have never considered that I would have privacy in the work place I will probably take a Karma hit for saying so, but seriously your there at work to work. If your doing something besides working(goofing off, flirting, looking for your next job, whatever) then expect to get slapped for it. Maybe I just have screwed up work ethic, but if they are paying you the company that you work for should be able to expect you to be doing something that benifits them, not browsing the lastest porn site. If you want to do those other things on a break/lunch then go away from the company to do it.
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
The major problem is that courts have held companies liable for their employee's conduct, even when that conduct is against company policy. Therefore, we MUST scan our email for anything that could be remotely deemed offensive, or we risk being sued. If we choose to respect privacy, then we open ourselves up to massive liability.
We need laws protecting employers from liability if an employee refuses to report misconduct. Then we could do away with some of the scanning and observing technologies we have (which cost us quiet a bit... many thousands.) If someone receives an offensive message, reports it, and nothing happens, ONLY then should the company be responsible for it. But the way the courts have ruled up to this point, simply not performing active scanning of email is an admission of guilt.
-- russ
Natural != (nontoxic || beneficial)
Judge Rosenbaum makes some interesting points in his article, however one that seems to have ben missed is the difference between computers and any older technique for information storage.
No one would object (in a legal sense) if an employer chose to open the file cabinet next to an employees desk and examine the documents within, as these documents would probably be considered property of the employer.
How is that different than examining the documents on the computer the employer has provided for my use durring my employment? Well, in several key areas: first, computers are much more versitile than the file cabinet in that they have the capability to perform thousands of operations that the paper and pencil would not facilitate (like web serfing for the purpose of evaluating reviews of an OSS version of a product competing with that of my company), as wel las many others from communicating with my son, to buying groceries if I so choose. Some of these activities are work related and some are not.
Searching the computer becomes less like riflingthrough the file cabinet and more like searching the company car which I drive to work in every day. While it does belong to the company, it is a common practive for me to use it for non-work relatd personal activities like picking my son up from soccer practice (which is why there's a Power Rangers toy in the back seat).
The point is, when employees are given tools with vast flexibility and power then employees are given a certain level of responsibility to behave appropriately. By extension the employee is also given a level of autonomy to use the device (wether it be a computer or a car) in a manner he sees fit. Judge Rosenbaum suggests that the grant of this authority to the employee comes with a set of additional rights to privacy with respect to the device/tool in question.
If my employer did not trust me I would be provided with a paper and pencil, with which I could perform no other function than my specified job function and no-one would have any problem with the employer viewing the documents I had created with the pencil over the course of the work day.
The proposal here is: With the grant of powerful devices such as computers to employees, comes a grant of authority, autonomy and privacy with regard to the use of such devices.
--CTH
--Got Lists? | Top 95 Star Wars Line
I had a co-worker once get around the sysadmin god's tracking systems (better known as the extortion system) by using a remote access system like VNC or PC Anywhere. Our company prohibits visiting restricted sites through the company network, but not through your own.
"I'll just chip in a bit for RedHat: I actually have that installed on my university machine." - Linus, '95
If you encrypt all your email and use SSL for all communications, then as long as the DMCA stands, your employer can't spy on you without a jail sentence. People need to start encrypting things, not just your secret stuff, everything. Until we start doing this as a country and it catches on, we'll alwyas have to worry about who is looking over our shoulder no matter where we are...
"Your superior intellect is no match for our puny weapons!"
I should have the right to send encrypted mail from work if I feel like it.
No, you shouldn't. You are using the company's computers to send a message over the company's networks. That equipment does not belong to you; you do not have the right to do anything with it that the company does not explicitly allow.
We monitor everything. We scan all email for keywords. All encrypted mail is immediately discarded; we don't allow it for security reasons. For all we know, you could be stealing company secrets, sending/receiving a virus (whether on purpose or not), or engaging in illegal behavior.
We could care less if you send a message home to the wifey, although if it's explicit, expect it to get flagged for futher review (and salivation) by one of the geeks in the computer department - I'm one of many. All web activity is logged but we don't do anything about it unless you're blatently disregarding your job duties, or if it's pr0n or illegal. We've only fired one guy for inapproriate computer use. (He spent 2 straight days doing nothing but downloading hard core pr0n, presumably spanking it right there in his cubicle)
You have no right to privacy when using company equipment. When I pay for your time and own the equipment, I reserve the right to monitor how you use it.
-Ryan, with the unoriginal sig