Where is the Line on Email Privacy?

A Conflicted Hosting Admin asks: "Imagine you're a webmaster running your own server. You provide email accounts to a third party as a 'service' in addition to hosting a web site for the third party. Now, suppose that one of the companies that you are hosting a site and email addresses for decides they need access to an email account for a previously disassociated employee. Does that company now have access to the email even though there is no written contract nor technology use policy? Where does the independent hoster look for guidance on something such as this?"

"It could be interpreted that the company is looking for evidence of impropriety or dishonesty on the part of the prior employee, but there was never a question before the sudden termination to suggest anything out of the ordinary was ongoing. I am such an admin. I am ready to allow access to the company requesting it. Several details are bugging me though. First, I have never been asked for access to any other terminated employees' email. Second, I recently inquired about preserving email for a different employee and got the short answer that all company ties had to be completely terminated. Third, the server is not owned by the company in question. I'm completely (other than the following item) independent of the company. Fourth, it's my relative's account.
I've simply not responded so far, but how far do I go? I'm not an ISP and I don't have agreements with the users. I'm also not the IT dept. Has anyone else had anything remotely similar, and if so; how did you respond?"

Is this a business account?

[kinnell]

If the email account in question is a work account provided to the employee by the company for work use, then the contents of the account are normally the property of the company, not the employee. Normally, the employee should not be using the account for personal use anyway, so any violations of his privacy are his own fault. Business email accounts generally contain a lot of valuable information pertaining to the job of the former employee which the company is perfectly entitled to recover.

Re:Is this a business account?

[Mr.+Slippery]

Its troll's like you that get fired because they fuck off on 'THEIR' computer...go on welfare and make me pay more taxes to support their fucking lazy bum asses...Its called COMPANY EMAIL for a reason, it belongs to the company...your damn right I own it!!

Quite aside from what the law says or doesn't say, it's asshole bosses like you who make companies fail.

Treat your employees like shit, and you'll never get good performance. It is fundamentally impossible to have accurate communication with people who you're intimidating.

Treat them like people - and that means respective privacy - and things will get done.

check with local lawyer.

[gl4ss]

no other way to check it out.

geez, why do people have to ask these things from slashdot?? ALL YOU GET IS OPINIONS ON HOW IT SHOULD BE, NOT THE CURRENT STATE OF THE LAWS IN THE COUNTRY YOU'RE IN.

for example there are countries in which you CAN NOT read employees email legally unless you have explicitly said&informed that you will read it when you gave that account to him/her(or along those lines anyways, and it must have been very clearly said/informed to the person in question that the mail isn't private despite being protected by a password and seeming to be for his/her eyes only, otherwise it's the same as receiving a letter with the employees name at the office, falling under 'letter secrecy'.). same goes for other 'private' material like tracking calls against the will of the employee(even if the business is paying for the line)..

one of the very good reasons for laws to exist is to make limits on what rights of yours you can give away... businesses don't come before people!

Think of Future Implications...

[TheWanderingHermit]

1) Whatever you do will set a precedent, so keep that in mind. Saying "No" seems to your benefit, since saying "Yes" could set a pattern and they could expect more in the future.

2) Have you actually told them you still have the data? If so, this may not have been wise. As long as they don't know if the data still exists, they can push for it. If they don't know, they're reaching in the dark. This may be a good reason to start a policy of deleting accounts whenever you've received notice an employee is fired or whenever a client stops taking your services.

3) Get a lawyer. Why? This WILL be a precedent, if not for others, for this company. If they get what they want now, they may start asking to check everyone's email account and, eventually, they might go so far as to expect you to provide them with access to all accounts. You need to find out if you have a right to refuse the request. The best news that you could get would be a lawyer telling you that you either a) don't have to provide the data, or b) are not allowed to provide the data.

4) As said above (2 times), this will set a precedent, no matter what. In my experience, whenever someone asks for a special service, that isn't the end. It's not long before they ask for a repeat, and, once they've broken down that boundary, they ask for more and more. If you do decide to provide them access, or you find out you have to give them access, if possible you SHOULD charge for the service. Otherwise, they won't see this as as an item with value. By charging, you are setting a limit and taking steps to make sure they don't just keep asking for and expecting you to do more and more for them.

Re:Simply...

[SuiteSisterMary]

Seconded. He who pays for it, gets to play with it. Period.

If this company is paying for, say, five email accounts with you, and called up to say 'what is the password for account j.foobar?' then your response should have been 'Oh, of course! The password is: gorblat.'

Period. It's their accounts, you don't know what they do with them, you don't want to know what they do with them, you don't need to know what they do with them, and so on.

You have a conflict of interest

[JohnQPublic]

Fourth, it's my relative's account.

Even if for no other reason, you need to stand back and look at what you've done in the past. As a business providing a service for a fee, your company must treat this user's email the same as every other's. You're opening the company up for a justifiable lawsuit from the employer if you don't. Not only that, but you're establishing a precedent you'll have to follow in all future encounters with this employer and probably all others.

If you have no policies or past precedents to follow, you need to forget that this person is your relative and ask what you'd do with any other user. Then do the same. Your company may still get sued for making the wrong choice, but you'll eliminate the conflict of interest problem. Just make sure you immediate document this new policy, at least internally, and follow it in the future.

Even better, if you're not just a one-person company, recuse yourself. Give the employer's request to someone else to handle, and make it clear to that person that you have a conflict of interest and that they have the full authority to make whatever decision is consistent with past practice (and failing that, company philosophy and goals) without fear of reprisals. In writing, if possible.

ACM Code of Ethics

[drivers]

As an ACM member I will ...
1.1 Contribute to society and human well-being.
1.2 Avoid harm to others.
1.3 Be honest and trustworthy.
1.4 Be fair and take action not to discriminate.
1.5 Honor property rights including copyrights and patents.
1.6 Give proper credit for intellectual property.
1.7 Respect the privacy of others.
1.8 Honor confidentiality.


Sounds like you should not turn over the email. I wouldn't.