Where is the Line on Email Privacy?

A Conflicted Hosting Admin asks: "Imagine you're a webmaster running your own server. You provide email accounts to a third party as a 'service' in addition to hosting a web site for the third party. Now, suppose that one of the companies that you are hosting a site and email addresses for decides they need access to an email account for a previously disassociated employee. Does that company now have access to the email even though there is no written contract nor technology use policy? Where does the independent hoster look for guidance on something such as this?"

"It could be interpreted that the company is looking for evidence of impropriety or dishonesty on the part of the prior employee, but there was never a question before the sudden termination to suggest anything out of the ordinary was ongoing. I am such an admin. I am ready to allow access to the company requesting it. Several details are bugging me though. First, I have never been asked for access to any other terminated employees' email. Second, I recently inquired about preserving email for a different employee and got the short answer that all company ties had to be completely terminated. Third, the server is not owned by the company in question. I'm completely (other than the following item) independent of the company. Fourth, it's my relative's account.
I've simply not responded so far, but how far do I go? I'm not an ISP and I don't have agreements with the users. I'm also not the IT dept. Has anyone else had anything remotely similar, and if so; how did you respond?"

In my case

[sdukaric]

I'm providing some of those services to some smaller bussines. If I've got information that some user is not longer working for that company, I would delete/remove all the data associated with him same moment. There is few catches about it, but as sooner You remove them, the less chance is to end up with some horny manager asking for mail from cute secretary which was fired. To sum up, I'll go with "right on time" removal of all former employee data, and in case employee still HAS account/data in my system, then customer have any right to see it since they ARE paying for it. I'm not going ethical into these things, I'm selling services...

Remeber who is paying

[elp]

I work for a shared website hosting company, our policy is that the entity paying for the site and the mailboxes owns them, in this case the company.

How they choose to use the mail boxes is their business. Trying to override your customers idea of correct policy towards their staff will only cost you their business and the resulting bad reputation will hurt you.

My sympathies if its your relative, you could always lie and say that the box was deleted when the employee left.

Re:Remeber who is paying

[Glonoinha]

According to Kevin Mitnick roughly (insert large number here)% of all 'computer hacking' is done via social engineering. Why spend weeks or months on a distributed network hacking 4096-bit encryption when you can hire a 36DD-24-36 from the local stripper shack to get one of the guys to just tell her his password simply by pretending she likes him?

Old story - a sys/admin at company I was doing consulting for was bragging on his security at lunch with me one day, I told him I could hack my way onto his network in about 5 minutes. We get back, he takes that bet. With him standing there watching (I was dressed in a suit, everybody there knew I was the consultant - that helps) I called the department manager on the phone, said 'I need your username and password.' He told it to me, I walked to an empty machine, logged in as that user with that password. Took me 2 minutes.

IANAL

[orthogonal]

Does that company now have access to the email even though there is no written contract nor technology use policy?

me look left
me look right

me still sees no lawyers.

This is an ethical or moral or legal question (depending on your particular viewpoint).

Slashdot, to the extent it's not a troll-fest and crap-flooder's convention, is a technical forum.

That said, this techie's understanding of the relevant law is that an employee's email, as any other work-product, belongs to the company that paid for the email account and paid the employee for the time the employee spent producing the email.

On the other hand, at one time and place -- Feudal Europe -- "employers" thought they also had the right of droit du seigneur too, so we shouldn't fall into the trap of believing that something is right just because it's legal.

Perhaps by asserting that privacy trumps payment you'll be striking a blow for freedom that will be remembered, centuries from now, as the beginning of our liberation from employers who today claim that they can lock employees in warehouses, denying them medical attention or can strip search workers accused of theft.

Re:Is this a business account?

[hummassa]

NOT here in Brasil. E-mail is by law on par with telephonical communications, so tapping without judicial warrant is a crime. Total privacy is expected.

My personal policy in those cases is: the mailbox was empty at the time the account was blocked. All e-mail to it was bounced since.

Dot some Is, cross some Ts

[eclectro]

If you were in your relative's shoes, and he was the admin for the company, what would you want him to do for you?

I think you could think of this another way. Do you think phone conversations should be private?? Would you want the company you worked for taping all your conversations??

The company could be on a fishing expidition for all you know, looking for a way to get back at your relative.

Corporate morality is nonexistant in today's world.

If they owned the computer hardware, then they would have a powerful arguement for owning the emails. But according to your question, _you_ own the hardware.

If I were an ISP for that company, I would tell them to get a court order. I would do the same if I were playing admin for them.

I would respond to them in writing/certified mail that you need to protect yourself legally, and request politely that they do things "officially" and get a court order.

If they decide to no longer use your services and let you go, then you never needed their business in the first place. I would send a letter to them acknowledging the cessation of a business relationship. Then _with out reading the emails_ I would delete them, as there is no longer a business relationship with the company, and you no longer need them for any reason. Don't tell them that in the letter BTW, just do it.

They could threaten to sue you, in which case you no longer need their business. Call a lawyer. Have him send a certified letter to them explaining that you are immediately severing your business relationship and ask the lawyer how long you should hold on to the emails (I would guess thirty days, if not seven)and then delete them.

If they deliver a court order, obey it, and hope that you have an honest relative. Have him get a lawyer in any event.

Above all, keep yourself clean, honest, and do nothing that you will not be afraid to tell about in a court of law later without perjurying yourself.

I Am Not A Lawyer, and this is not meant as legal advice. Get a lawyer before doing any of this It's just one pal chatting with another about opinions on how to keep your nose clean.

If the bottom falls out, and everything goes to pot, sue slashdot for letting you ask the question in the first place before telling you to get a lawyer.

Re:employee contact

[shaitand]

If the company's account without the ISP DOESN'T state the company owns it, wouldn't it actually be the ISP's property?

Re:Is this a business account?

[hummassa]

No, no, no, to the law only matters whose communication it is. So, my mailbox in the company account is mine. It's my communication. Even if stated in a contract, the clause can be voided because of this.

Only in America?

[E_elven]

Looks like the courts in Finland just upheld a legislation barring an employer from reading employee e-mails. Couldn't find an announcement in English, nor are the translation tools too good, so you'll have to take my word for it. So they're faring well.

Re:Is this a business account?

[(trb001)]

Specifically, whoever paid for the accounts is the owner. Assuming that the company is paying you to host the site/mail accounts, they own them all and 'sublet' the accounts to their employees. Once that employee has vacated, the account is yours again.

--trb

Re:Is this a business account?

[MarkusQ]

No, no, no, to the law only matters whose communication it is.

Fine, but that doesn't change my point.

So, my mailbox in the company account is mine. It's my communication.

It might be, but it might be someone you have never met trying to contact the company to get a problem resolved, order something, etc.

My point is and was that you can't reasonably assume that all mail that comes to someone's e-mail account at work is an attempt to communicate with them and not an attempt to communicate with the company. If bdp@cryptic.com is answered by a guy named Bruce for a while and then subsequently given to someone named Betty, it might be a case where she's getting his personal communications (e.g. he's Bruce Donald Parsly and she's Betty Due Purdy), or it might be the company's (e.g., they both handle support for the company's Best Darned Product (tm) and he's just been promoted to janitor, leaving her stuck withall the support mail).

The point? You can't tell for sure without more information.

-- MarkusQ

How was this handled in previous technologies?

[no+longer+myself]

OK, today we get so bogged down in the technological aspect that the obvious can get away from us. Here's my point:

Mr. Former Employee
C/O Old Employer Co.
123 Industrial Way
Anytown, NJ 12345-6789

IANAL so I don't know the answer to this question: Who is legally allowed to open this envelope? I know I've seen bosses open the mail of departed former employees, look at it and say, "OK, I know what to do with this," and walk off, but the legality of such actions never crossed my mind. Find out the answer to this, and you've probably got your answer to the ethical dilemma around the e-mail question.