Where is the Line on Email Privacy?

A Conflicted Hosting Admin asks: "Imagine you're a webmaster running your own server. You provide email accounts to a third party as a 'service' in addition to hosting a web site for the third party. Now, suppose that one of the companies that you are hosting a site and email addresses for decides they need access to an email account for a previously disassociated employee. Does that company now have access to the email even though there is no written contract nor technology use policy? Where does the independent hoster look for guidance on something such as this?"

"It could be interpreted that the company is looking for evidence of impropriety or dishonesty on the part of the prior employee, but there was never a question before the sudden termination to suggest anything out of the ordinary was ongoing. I am such an admin. I am ready to allow access to the company requesting it. Several details are bugging me though. First, I have never been asked for access to any other terminated employees' email. Second, I recently inquired about preserving email for a different employee and got the short answer that all company ties had to be completely terminated. Third, the server is not owned by the company in question. I'm completely (other than the following item) independent of the company. Fourth, it's my relative's account.
I've simply not responded so far, but how far do I go? I'm not an ISP and I don't have agreements with the users. I'm also not the IT dept. Has anyone else had anything remotely similar, and if so; how did you respond?"

Is this a business account?

[kinnell]

If the email account in question is a work account provided to the employee by the company for work use, then the contents of the account are normally the property of the company, not the employee. Normally, the employee should not be using the account for personal use anyway, so any violations of his privacy are his own fault. Business email accounts generally contain a lot of valuable information pertaining to the job of the former employee which the company is perfectly entitled to recover.

Re:Is this a business account?

You can't legislate security. Laws do not stop people from listening to wireless telephone calls with baby monitors or scanners. If you want privacy in email communications then use PGP, or GnuPG.

Re:Is this a business account?

[override11]

but to perform that communication you are using work equipment...work bandwidth...work software licenses owned by the company. There is no reason that you should think that any of this belongs to you. If you program software on your work computer during work time, it is owned by the company, not you, why would email be any different??

Re:Is this a business account?

[sudog]

Hey. Idiot. It's irrelevant whether you're doing things on company time. The company doesn't OWN the employee during the hours he's working for them. He does NOT become a zombie drone-slave, and there's this little thing called basic human rights that each of us enjoy--since, as you may or may not be aware, we all live in a first-world country that supposedly treasures freedom.

The owner of the email is the employee, and the only one with the right to read it is the recipient, unless it's corporate email.

Period.

Since you seem to have trouble understanding the concept of an individual's privacy, and I'm very well aware that braindead idiots like you have no problem rationalising, let me ask you: Do you think the company has a right to put a camera in the same toilet you're taking a dump in, since it's a company toilet, company toilet paper, a company stall, all in a company bathroom?

Get a clue, fuckwad. People like you are the same people who freely give away simple basic human dignity in the name of capitalism. YOU are the reason that companies can get away with everything they can get away with. YOU, and every other fuckstick who thinks just like you.

Tard.

Re:Is this a business account?

[sudog]

That the best you can do?

You're damn fucking straight a company owes me something: Simple human dignity. If you treat an employee like a fucking scumbag, they're far more likely to act like one.

And who's the troll? I have no problem putting food on the table, and I won't have a problem doing so for many years to come.

If the only way to communicate with personal relations is via company email, the company has no right to listen in to the latest saga in that employee's personal health problems.

You think you own personal communications between a man and his wife? How about a man and his lawyer?

And you didn't answer my question, troll fuckwad. I've got lots of karma to burn; what about the toilets, you piece of shit? Ah, I see you side-stepped. Why? Because I'm right.

What an idiot.

Re:Is this a business account?

[Mr.+Slippery]

Its troll's like you that get fired because they fuck off on 'THEIR' computer...go on welfare and make me pay more taxes to support their fucking lazy bum asses...Its called COMPANY EMAIL for a reason, it belongs to the company...your damn right I own it!!

Quite aside from what the law says or doesn't say, it's asshole bosses like you who make companies fail.

Treat your employees like shit, and you'll never get good performance. It is fundamentally impossible to have accurate communication with people who you're intimidating.

Treat them like people - and that means respective privacy - and things will get done.

Re:Is this a business account?

[Anonymous+Brave+Guy]

As a company, the email and the equipment is owned by the company, and the fact that the employee feels they have the right to use them for personal business is rediculous.

But is it?

Of course, as an employer, you're entitled to expect your employees to do their jobs to the best of their ability, in exchange for whatever compensation you agreed. That is not in question.

However, you also have to recognise that you're employing real people with real lives. Some things basically have to be done during office hours, and if you're employing someone during those hours every day, it's only common sense that they can, e.g., make a five-minute personal phone call to a bank or mail order firm now and then.

By the same token, I think it's reasonable to expect, unless explicitly stated otherwise, that an e-mail account may be used for personal reasons, provided that use is not an excessive drain on either the employee's time or the company's resources/chequebook.

The question of monitoring communications is a tricky one. My argument, which I believe is enshrined in law in some countries fairly directly, would be that an employee should be entitled to reasonable privacy. If they're not abusing the system, they shouldn't be subject to monitoring or having their mail read by others, end of story.

Obviously, some times an employer will genuinely have reason to believe that an employee is doing something inappropriate, and must have some recourse in that event. However, IMHO that should be done with the support of a court, just as any wire tap or other invasion of privacy would be (well, aside from things like the Patriot XXX Act, and so on :-/) and not just because an employer randomly decides to take advantage of their access. If it's serious enough that it needs an invasion of privacy, it's surely also serious enough that someone's future employment and reputation is in question, and that's serious enough to do things properly, through legal channels.

Incidentally, I agree entirely with one or two of the other posters here: a smart employer won't rely on things like intercepting communications anyway, because it just breeds discontent amongst the staff, and that will damage productivity at best. It's also the surest way to ensure your good staff are the first to leave you for a more humane employer.

How about ...

How about you make a (verified) copy of the mailbox in question and (secretly) keep a copy on CD. Send a copy to the employee. Delete the mailbox.

Contact the company and say that as the employee was termintated you (following standard procedure) removed the mailbox and sent a copy to the 'mailbox owner', the employee.

Say you may be able to recover some data if they have a legal case for it.

You should then act on what they say, but you have something in writing to prevent you being sued by the employee for releasing personal data as you can counter sue the company for misleading you.

No IANAL

Re:How about ...

the employee is not the legal owner anymore the company is .

check with local lawyer.

[gl4ss]

no other way to check it out.

geez, why do people have to ask these things from slashdot?? ALL YOU GET IS OPINIONS ON HOW IT SHOULD BE, NOT THE CURRENT STATE OF THE LAWS IN THE COUNTRY YOU'RE IN.

for example there are countries in which you CAN NOT read employees email legally unless you have explicitly said&informed that you will read it when you gave that account to him/her(or along those lines anyways, and it must have been very clearly said/informed to the person in question that the mail isn't private despite being protected by a password and seeming to be for his/her eyes only, otherwise it's the same as receiving a letter with the employees name at the office, falling under 'letter secrecy'.). same goes for other 'private' material like tracking calls against the will of the employee(even if the business is paying for the line)..

one of the very good reasons for laws to exist is to make limits on what rights of yours you can give away... businesses don't come before people!

In Order of Importance...

[fuzzybunny]

-The law. You should have a lawyer, as a company. Use "it". Law _always_ _always_ _always_ supersedes business arrangements, policies, whatever.
-Your contractual obligations and anything you've committed yourself to. See #1.

And you could argue about the following:

-Your customer's needs, your conscience, your reputation, etc etc etc.

There are possible good reasons for this...

Most significantly, if the account was used for external business contacts, they'l like to continue the contacts, handle any incoming e-mail, etc.

Really, it bouls down to how you see your "customers". Is it primarily the company, or primarily the individuals?

I might forward any unread mail and set up a permanent future forwarding, but not provide the password to the mail account itself, so the company can't pretend that Mr.X is stll working there, but others can see that Ms.Y is taking over.

Alternatively, bounce all of Mr.X's e-mail with a message to contact Ms.Y instead.

If I felt there was something funny about the request and didn't think Mr.X was going to go on a vandalism rampage, I might have a quiet word with Mr.X before forwarding the e-mails. It's not like he couldn't have done anything he was going to do between the firing and the company telling you about it, after all...

Think of Future Implications...

[TheWanderingHermit]

1) Whatever you do will set a precedent, so keep that in mind. Saying "No" seems to your benefit, since saying "Yes" could set a pattern and they could expect more in the future.

2) Have you actually told them you still have the data? If so, this may not have been wise. As long as they don't know if the data still exists, they can push for it. If they don't know, they're reaching in the dark. This may be a good reason to start a policy of deleting accounts whenever you've received notice an employee is fired or whenever a client stops taking your services.

3) Get a lawyer. Why? This WILL be a precedent, if not for others, for this company. If they get what they want now, they may start asking to check everyone's email account and, eventually, they might go so far as to expect you to provide them with access to all accounts. You need to find out if you have a right to refuse the request. The best news that you could get would be a lawyer telling you that you either a) don't have to provide the data, or b) are not allowed to provide the data.

4) As said above (2 times), this will set a precedent, no matter what. In my experience, whenever someone asks for a special service, that isn't the end. It's not long before they ask for a repeat, and, once they've broken down that boundary, they ask for more and more. If you do decide to provide them access, or you find out you have to give them access, if possible you SHOULD charge for the service. Otherwise, they won't see this as as an item with value. By charging, you are setting a limit and taking steps to make sure they don't just keep asking for and expecting you to do more and more for them.

Re:Simply...

[SuiteSisterMary]

Seconded. He who pays for it, gets to play with it. Period.

If this company is paying for, say, five email accounts with you, and called up to say 'what is the password for account j.foobar?' then your response should have been 'Oh, of course! The password is: gorblat.'

Period. It's their accounts, you don't know what they do with them, you don't want to know what they do with them, you don't need to know what they do with them, and so on.

Re:In my case

[JohnQPublic]

I'm not going ethical into these things, I'm selling services...

If that's so, then you shouldn't be doing what you said you'd do. If your customer (the employer) tells you to delete the account, you delete it. But if they want the data, at least in the USA, it's theirs. And if you delete it, expect them to ask for the data to be restored from your backups.

Failing to turn it over to them or deleting it without their permission may get you sued, and rightly so. Unless your contract with the employer says you can ... you do have a contract, right?

Re:Remeber who is paying

[JohnQPublic]

OK, now THAT'S unethical. You're outright lying to your customer. I sure hope my company never does business with yours.

You have a conflict of interest

[JohnQPublic]

Fourth, it's my relative's account.

Even if for no other reason, you need to stand back and look at what you've done in the past. As a business providing a service for a fee, your company must treat this user's email the same as every other's. You're opening the company up for a justifiable lawsuit from the employer if you don't. Not only that, but you're establishing a precedent you'll have to follow in all future encounters with this employer and probably all others.

If you have no policies or past precedents to follow, you need to forget that this person is your relative and ask what you'd do with any other user. Then do the same. Your company may still get sued for making the wrong choice, but you'll eliminate the conflict of interest problem. Just make sure you immediate document this new policy, at least internally, and follow it in the future.

Even better, if you're not just a one-person company, recuse yourself. Give the employer's request to someone else to handle, and make it clear to that person that you have a conflict of interest and that they have the full authority to make whatever decision is consistent with past practice (and failing that, company philosophy and goals) without fear of reprisals. In writing, if possible.

ACM Code of Ethics

[drivers]

As an ACM member I will ...
1.1 Contribute to society and human well-being.
1.2 Avoid harm to others.
1.3 Be honest and trustworthy.
1.4 Be fair and take action not to discriminate.
1.5 Honor property rights including copyrights and patents.
1.6 Give proper credit for intellectual property.
1.7 Respect the privacy of others.
1.8 Honor confidentiality.


Sounds like you should not turn over the email. I wouldn't.