Slashdot Mirror
System Adminstration and Corporate Ethics?
Not-a-BOFH asks: "About seven years ago while SysAdmin'ing for a (then) small software company, I was approached by the CEO regarding a technical issue. He explained to me that he got a bit hot headed at another employee and sent said person an email that he now wished he hadn't sent. His request to me was to dig through this person's email and delete it before he came in that morning. As the SysAdmin, this was certainly possible for me to do, but I've always tried to remain ethical when having such access to sensitive documents. In the case of email, I explained to the CEO that to me it was like tampering with the U.S. Mail, and I wasn't comfortable doing it. Long story short, my boss had no issue with it, and wound up doing it anyway. Looking back now, I'm not really all that surprised that that decision of mine led to my getting fired, but I've always wondered how many other people have had similar situations happen to them, where personal ethics and CEO heavyhanding came into play, and their job security suffered from the clash."
This sort of thing happens all the time: sysadmins are in an interesting position where they feel ethical responsibilities to their network and the privacy of their users because they associate this with their jobs.
Sadly, I think that is leftover from the collegiate atmosphere where the sysadmin culture evolved--corporations have no such rules or regard for privacy. The fact that most corporations track every metric and move their employees make.
If you are allowed to have the illusion of freedom and fairness as a sysadmin, enjoy it but make no mistake: it is an illusion, and if it interferes with real work, higher-ups or the bottom line these "ethics" are going to take a walk.
Businesses only respect ethics that are enforced by government agency and carry real penalties--manipulating internal email is not one of these.
You should have used MS Outlook, it is the most ethical email system since it has the "Recall" feature. The CEO could have recalled the email without presenting anyone with any ethical dilemas
I used to work for a fairly large company - they managed about $3 billion in investments. The IT department was being run by an idiot. One of the IT managers who left becuase the IT department was being run into the ground sent one of the directors an email revealing what was going on in IT. The director was on holidays for a week, but he never got the email becuase the head of IT got one of the sysadmins to delete the mail from his inbox. I quit the company after 4 months after being dressed down for bringing up serious problems in their trading systems.
Reliable, Great Value Hosting: $7.95/mo 2.4G/120G
years ago, I worked at a small web development company. One day, one of the other sysadmins came to me with mail he had found on the mailserver while checking some error he was having, that proved that the CEO's wife (herself a VP) was sleeping with the CEO's best friend (another VP). We sat and decided that the ethical answer was to forward the info to the CEO. After, of course, we had both resigned the company. What do you do? Shoot the hostage?
But seriously, corporate mail isn't some sacrosanct thing. It's less like the US mail and more like FedEx. If you discovered that you'd mailed the wrong package, I figure FedEx should return it to you and let you make it right. What you're doing is saving the company from liability: "Oh, crap! I Didn't mail out Teddy Bears to that orphanage, I mailed out Glass Shards!" In all honesty, if you got fired for it, you had it coming. You're someone's employee. Next time check the org. chart.
I have been in a similar position before, though for me it was spamming for a company. I was working for this designer lighting manufacturer as an admin and we were definitely feeling some of the effects of the economy at the time (right after the .com bust). So the CEO came to me with the option of gaining customers through spamming. I have never liked spam, and like most right minded geeks, find its existance annoying and unnessessary. However, I am a college student and jobs like this do not come along all the time (decent pay, good coworkers, very flexible), so I went along with it and did a round of spamming. I did try to convince the boss of other methods, but the fact of the matter is the he had his mind set on this. I figured its either my job, or a lot of pissed off/annoyed people who I will never see. I shot out 27,000 spams, not that much next to some, but 27,000 nonetheless. We got a lot of hate mail the next day, it was actually rather amusing in some respects since the rants were often JeffK worthy. So I kept my job, and 27,000 people got spammed. Those 27,000 people have now completely forgotten about that spam, and I have not forgotten about keeping my job. In short, its a dog-eat-dog world, and sometimes you gotta bite the bullet to stay afloat. If you won't do it, some other monkey with a lot less scruples than you will do it, and probably even worst.
"What can a thoughtful man hope for mankind on Earth, given the experience of the past million years? Nothing." -Bokonon
Email systems (and voicemail for that matter) have over the years sporadically supported a feature that allows the sender to delete unread/unlistened messages. Sadly, I know of know OSS email system that supports this functionality.
Where I work, we use MS Exchange configured in Enterprise mode. There is a feature to allow unread email messages to be "recalled"; however, the implementation of the feature is such that each email-reader (User Agent) can disable the feature completely or disregard individual recall requests.
My personal use of the feature is most often to recall an email that contains an error. I then substitute a corrected version of the email. When this works, and the message is recalled successfully, it removes from my communication the possibility that the receiver will save the email that contained the bad data, and not save a follow-up email that explains the errors of the first email.
While some will argue that it is a user's *right* to be able to read every email sent to them, it is just as easy to construct an argument that until an email is read it is the sender's *right* to be able to un-send it. To my mind, anytime we can put in place technology that allows poeple to correct their mistakes (be they emotional mistakes or technical/informational ones) it makes it easier for us to all get along with one another. The less stress we inject into our workplace/relationships, the better!
The ethical issue is that he believes that it is wrong to go through someone else's email and delete one, whatever the circumstances. Finding an arbitrary exception will breach those ethics,or require them to be reevaluated.
Reevaluating one's ethics does not happen in a matter of minutes.
The SAGE Code of Ethics seems useful for this situation.
Canon 2, "A system administrator shall not unnecessarily infringe upon the rights of users", seems to apply to this particular case. The relevent portion is:
"System administrators will not exercise their special powers to access any private information other than when necessary to their role as system managers, and then only to the degree necessary to perform that role, while remaining within established site policies. Regardless of how it was obtained, system administrators will maintain the confidentiality of all private information."
I read that to mean that if there is a site policy regardign email, the ethical thing to do is to follow the policy. Failing the existence of a policy, the ethical thing to do is to not infringe on the rights of the users.
"The purpose of argument is to change the nature of truth." -- Bene Gesserit Precept
A few years ago I was working for a e-commerce fuckup..er, startup. I was young and wet behind the ears. I was asked the by the CEO (and the CFO, and the CTO) to forge some sales data for a certain product. Our continued ability to sell this product relied on our trial sales data and the data that I forged convinced the vendor to continue to let our trail continue.
:)
I felt HORRIBLE afterwards. I approached the three of then regarding this and told them that if they asked me to do it again I'd report it to the vendor. There was huffing and puffing but in the end I guess they either a) thought I had them by the balls or b) they regretted it as well. They assured me I'd never have to do anything so dishonest again and I didnt...
Work related, at any rate...
While managing a web/e-commerce system at a company who's name rhymes with "Bogue Shave", I noticed once that a customer had inadvertently been identified and charged the "international" rate for some software. It meant he paid a fair amount more than he should have, and the wrong sales rep got the commission.
I brought it up with the head of sales, who told me "he'd look into it" and eventually just told me to leave it as is. I expressed my discomfort to this solution to my own boss (head of IT) who also said, "He'd look into it". Of course by then I knew what that meant.
In hind site, I should have just sent the customer and the sales rep who got screwed out of a commission a quiet little email and let them raise a stink about it. Or should I have just sucked up to the corporate way like some people here seem to think?
At our firm we let new employees sign a letter before they start working that we archive ALL EMails they send. We treat Emails as business correspondence. We file letters that we send in an official capacity, EMails are the same.
Our sendmail server sends all mails going out (and coming in) to a central mailbox.
That said, we also provide peole with TWO addresses, one is private and is never tampered with, the other one is public and is put inthe files. They know this, and can decide which one to use to send the mails. We are also not anal retentive about sending personal mails and phone calls from work. I mean, they are people, not machines.
However, sending business mails under your personal account is frowned upon.
This systems works well and we never had any problems with it. Also, access to the central mail file is the same as access to business files in that only some managers may look into it. But generally business EMails are treated like any other busniess correspondence: filed as it should be.
This policy has helped us a lot when people leave, but they knew beforehand that their mailboxes are open.
The dangers of excessive individualism are nothing compared to the oppressiveness of excessive collectivism
At first glance I thought to myself, "Wow, you got screwed." But then I got to thinking: The courts have seen to it (in the U.S. anyway, just ask M$) that email is not as private as some want to think. When was the last time we got outraged by someone reporting that their employer instituted all sorts of no-privacy policies with regard to corporate email? Not recently, because we've all come to accept that when playing on someone else's network, we have to play by their rules. And more often than not, their rules mean our email is not inviolate, and that sys admins probably can read it anytime they want. From there, it's only a very short stretch to what you described. The only leg you would have had to stand on would be if your former employer had a written policy ensuring the privacy of electronic communications, and I doubt they did.
I was fired for being responsibly careful in initial checkout and test of temporary external heart pacemakers.
Knowing how whistleblowers rank lower than the priest(s) who founded NAMBLA, I decided to stay silent. Have never been happy about this, and am glad Slashdot permits anon. posting.
I agree it can get silly, however the law is the law. Sure you can grep etc. and find a mail, however firstly, what if you make a typo and forget to pipe and output all the guys mail to the screen, and secondly, what if they are using Outlook?
Are there no clauses for accidental exposure in the UK? Seems awfully strict to me.
reading private mail protected by password would be considered as same as opening up a private envelope the employee left on his work desk.
this, would be illeagal in several countries, maybe not in usa but still, the original asker didn't spesify he was living in usa.
even using some automated program to go through it could be considered as the same, if the purpose was deleting the mail. this is why several big institutions are not putting email filtering in effect(automatically removing virii and bad_stuff_in_general) around here.
in usa wonderland of rights, you might not be entitled to any privacy protection against your employer though.
world was created 5 seconds before this post as it is.
Some years back, I was the UNIX admin at a company.
One of the company's managers came up to me and said she thought one the people under her was spending her time writing personal email rather than doing work, and please could I have a look.
I said no, absolutely not. As far as I was concerned, her email may contain personal information and I would not breach her privacy. Even if she had been abusing the system by e.g. sending hundreds of multiple-megabyte messages an hour, I still wouldn't actually _read_ it. I'd just tell her to stop it.
So, I apologised, but said she'd have to find a different way to get to the bottom of the matter.
I don't know if this had any direct consequence, but I ended up being fired a few weeks later, after being set up (reprimanded for running a password cracker (er, I was root on every machine in the company) - running a password cracker to check the hardness of everyone's passwords is standard practice for sysadmins, no ? - and for messing up a backup - which was actually my superior's mistake, but he wanted rid of me.)
I stopped doing sysadmin work after that episode.
Yep - it is. To make it worse, there are two laws that literally contradict each other. There is the Regulation of Investigatory Powers Act 2000(RIPA) act, where as a sysadmin responsible for a lot of users I'm required by law to keep full text mail logs for 28 days (which you are not allowed to delete!). I can be asked by the police to supply log data at any time (admittedly it has to come from a senior officer) and if this happens, I'm not allowed to mention it to anyone that I've been asked to supply the information, including a judge(!) on pain of 2 years imprisonment. (I kid you not).
I think you will be looking at this like we all were and going "HUH??" by now, as obviously it makes thing extremely difficult! Basically you can think of it as a Big Brother type of law. Oh and if you are thinking "no problem - I'll just use crypto" that's 2 years in prison if you refuse to hand over your encryption keys.
Then we have the The Human Rights Act 1998 which strenghens the privacy of the individual. This is the one where I'm not allowed to look at personal information, however under RIP I *can* open up mailboxes if I'm investigating "an incident" however if I see anything else (non work related) while I'm there I'm not allowed to discuss it or use that information in any way. *phew*. Obviously all this stuff can be a nightmare, and so they way that we get around it is to have company policies about email, such as clearly documented allowed uses and document that all mail is potentially going to be read etc, however even that can get awkward as under the Human Rights Act 1998 we have to provide private means of communications of individuals. This includes things like staff having access to personal email (in practice a viral back door nightmare) and guaranteed un-monitored phones (i.e. payphones). All in all it's quite a complicated profession nowadays - lol.
I am not absolutely sure I agree with you. Obviously, it would be totally unethical to delete a third parties email. But you were being asked to delete an email by its originator - someone who could be regarded as its owner. Obviously (IMO), once the recipient has read and taken in the content of that email, s/he has the right to keep it, if only to produce it as evidence of harrassment. But while they are still unaware of the emails existence, I think that ownership of the email remains with the author. So, if the author is requesting that you delete it and you can do so without (as other people have pointed out) infringing the recipients privacy, it seems to me quite ethical to do so.
As for the "it'll teach him to think before he posts" - I think that lesson has been learned, as far as it can be. You don't thunk an executive *likes* having to plead with a sysadm for a favour?
Consciousness is an illusion caused by an excess of self consciousness.