Slashdot Mirror

← Back to Stories (view on slashdot.org)

Where is the Line on Email Privacy?

Posted by Cliff on from the dicey-moral-issues dept.

A Conflicted Hosting Admin asks: "Imagine you're a webmaster running your own server. You provide email accounts to a third party as a 'service' in addition to hosting a web site for the third party. Now, suppose that one of the companies that you are hosting a site and email addresses for decides they need access to an email account for a previously disassociated employee. Does that company now have access to the email even though there is no written contract nor technology use policy? Where does the independent hoster look for guidance on something such as this?"

"It could be interpreted that the company is looking for evidence of impropriety or dishonesty on the part of the prior employee, but there was never a question before the sudden termination to suggest anything out of the ordinary was ongoing. I am such an admin. I am ready to allow access to the company requesting it. Several details are bugging me though. First, I have never been asked for access to any other terminated employees' email. Second, I recently inquired about preserving email for a different employee and got the short answer that all company ties had to be completely terminated. Third, the server is not owned by the company in question. I'm completely (other than the following item) independent of the company. Fourth, it's my relative's account.
I've simply not responded so far, but how far do I go? I'm not an ISP and I don't have agreements with the users. I'm also not the IT dept. Has anyone else had anything remotely similar, and if so; how did you respond?"

37 of 103 comments (clear)

  1. Is this a business account? by kinnell · · Score: 4, Insightful

    If the email account in question is a work account provided to the employee by the company for work use, then the contents of the account are normally the property of the company, not the employee. Normally, the employee should not be using the account for personal use anyway, so any violations of his privacy are his own fault. Business email accounts generally contain a lot of valuable information pertaining to the job of the former employee which the company is perfectly entitled to recover.

    --
    If I seem short sighted, it is because I stand on the shoulders of midgets
    1. Re:Is this a business account? by hummassa · · Score: 5, Interesting

      NOT here in Brasil. E-mail is by law on par with telephonical communications, so tapping without judicial warrant is a crime. Total privacy is expected.

      My personal policy in those cases is: the mailbox was empty at the time the account was blocked. All e-mail to it was bounced since.

      --
      It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
    2. Re:Is this a business account? by hummassa · · Score: 2, Interesting

      No, no, no, to the law only matters whose communication it is. So, my mailbox in the company account is mine. It's my communication. Even if stated in a contract, the clause can be voided because of this.

      --
      It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
    3. Re:Is this a business account? by (trb001) · · Score: 4, Interesting

      Specifically, whoever paid for the accounts is the owner. Assuming that the company is paying you to host the site/mail accounts, they own them all and 'sublet' the accounts to their employees. Once that employee has vacated, the account is yours again.

      --trb

    4. Re:Is this a business account? by override11 · · Score: 2, Insightful

      but to perform that communication you are using work equipment...work bandwidth...work software licenses owned by the company. There is no reason that you should think that any of this belongs to you. If you program software on your work computer during work time, it is owned by the company, not you, why would email be any different??

      --
      No I didnt spell check this post...
    5. Re:Is this a business account? by MarkusQ · · Score: 3, Interesting

      No, no, no, to the law only matters whose communication it is.

      Fine, but that doesn't change my point.

      So, my mailbox in the company account is mine. It's my communication.

      It might be, but it might be someone you have never met trying to contact the company to get a problem resolved, order something, etc.

      My point is and was that you can't reasonably assume that all mail that comes to someone's e-mail account at work is an attempt to communicate with them and not an attempt to communicate with the company. If bdp@cryptic.com is answered by a guy named Bruce for a while and then subsequently given to someone named Betty, it might be a case where she's getting his personal communications (e.g. he's Bruce Donald Parsly and she's Betty Due Purdy), or it might be the company's (e.g., they both handle support for the company's Best Darned Product (tm) and he's just been promoted to janitor, leaving her stuck withall the support mail).

      The point? You can't tell for sure without more information.

      -- MarkusQ

    6. Re:Is this a business account? by sudog · · Score: 2, Insightful

      Hey. Idiot. It's irrelevant whether you're doing things on company time. The company doesn't OWN the employee during the hours he's working for them. He does NOT become a zombie drone-slave, and there's this little thing called basic human rights that each of us enjoy--since, as you may or may not be aware, we all live in a first-world country that supposedly treasures freedom.

      The owner of the email is the employee, and the only one with the right to read it is the recipient, unless it's corporate email.

      Period.

      Since you seem to have trouble understanding the concept of an individual's privacy, and I'm very well aware that braindead idiots like you have no problem rationalising, let me ask you: Do you think the company has a right to put a camera in the same toilet you're taking a dump in, since it's a company toilet, company toilet paper, a company stall, all in a company bathroom?

      Get a clue, fuckwad. People like you are the same people who freely give away simple basic human dignity in the name of capitalism. YOU are the reason that companies can get away with everything they can get away with. YOU, and every other fuckstick who thinks just like you.

      Tard.

    7. Re:Is this a business account? by sudog · · Score: 2, Insightful

      That the best you can do?

      You're damn fucking straight a company owes me something: Simple human dignity. If you treat an employee like a fucking scumbag, they're far more likely to act like one.

      And who's the troll? I have no problem putting food on the table, and I won't have a problem doing so for many years to come.

      If the only way to communicate with personal relations is via company email, the company has no right to listen in to the latest saga in that employee's personal health problems.

      You think you own personal communications between a man and his wife? How about a man and his lawyer?

      And you didn't answer my question, troll fuckwad. I've got lots of karma to burn; what about the toilets, you piece of shit? Ah, I see you side-stepped. Why? Because I'm right.

      What an idiot.

    8. Re:Is this a business account? by Mr.+Slippery · · Score: 3, Insightful
      Its troll's like you that get fired because they fuck off on 'THEIR' computer...go on welfare and make me pay more taxes to support their fucking lazy bum asses...Its called COMPANY EMAIL for a reason, it belongs to the company...your damn right I own it!!

      Quite aside from what the law says or doesn't say, it's asshole bosses like you who make companies fail.

      Treat your employees like shit, and you'll never get good performance. It is fundamentally impossible to have accurate communication with people who you're intimidating.

      Treat them like people - and that means respective privacy - and things will get done.

      --
      Tom Swiss | the infamous tms | my blog
      You cannot wash away blood with blood
    9. Re:Is this a business account? by Anonymous+Brave+Guy · · Score: 2, Insightful
      As a company, the email and the equipment is owned by the company, and the fact that the employee feels they have the right to use them for personal business is rediculous.

      But is it?

      Of course, as an employer, you're entitled to expect your employees to do their jobs to the best of their ability, in exchange for whatever compensation you agreed. That is not in question.

      However, you also have to recognise that you're employing real people with real lives. Some things basically have to be done during office hours, and if you're employing someone during those hours every day, it's only common sense that they can, e.g., make a five-minute personal phone call to a bank or mail order firm now and then.

      By the same token, I think it's reasonable to expect, unless explicitly stated otherwise, that an e-mail account may be used for personal reasons, provided that use is not an excessive drain on either the employee's time or the company's resources/chequebook.

      The question of monitoring communications is a tricky one. My argument, which I believe is enshrined in law in some countries fairly directly, would be that an employee should be entitled to reasonable privacy. If they're not abusing the system, they shouldn't be subject to monitoring or having their mail read by others, end of story.

      Obviously, some times an employer will genuinely have reason to believe that an employee is doing something inappropriate, and must have some recourse in that event. However, IMHO that should be done with the support of a court, just as any wire tap or other invasion of privacy would be (well, aside from things like the Patriot XXX Act, and so on :-/) and not just because an employer randomly decides to take advantage of their access. If it's serious enough that it needs an invasion of privacy, it's surely also serious enough that someone's future employment and reputation is in question, and that's serious enough to do things properly, through legal channels.

      Incidentally, I agree entirely with one or two of the other posters here: a smart employer won't rely on things like intercepting communications anyway, because it just breeds discontent amongst the staff, and that will damage productivity at best. It's also the surest way to ensure your good staff are the first to leave you for a more humane employer.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  2. employee contact by !the!bad!fish! · · Score: 2, Informative
    IANAL, in the UK the standard policy is to quote the Data Protection Act and delete any evidence.

    If the employee's contract, like mine, states that the company owns all e-mail communication then they owns it.

    --
    Kids today are tyrants. They contradict their parent, gobble their food, and tyrannize their teachers. - Socrates 400 BC
    1. Re:employee contact by shaitand · · Score: 2, Interesting

      If the company's account without the ISP DOESN'T state the company owns it, wouldn't it actually be the ISP's property?

  3. In my case by sdukaric · · Score: 2, Interesting

    I'm providing some of those services to some smaller bussines. If I've got information that some user is not longer working for that company, I would delete/remove all the data associated with him same moment. There is few catches about it, but as sooner You remove them, the less chance is to end up with some horny manager asking for mail from cute secretary which was fired. To sum up, I'll go with "right on time" removal of all former employee data, and in case employee still HAS account/data in my system, then customer have any right to see it since they ARE paying for it. I'm not going ethical into these things, I'm selling services...

    --
    Sinisa
    1. Re:In my case by JohnQPublic · · Score: 2, Insightful

      I'm not going ethical into these things, I'm selling services...

      If that's so, then you shouldn't be doing what you said you'd do. If your customer (the employer) tells you to delete the account, you delete it. But if they want the data, at least in the USA, it's theirs. And if you delete it, expect them to ask for the data to be restored from your backups.

      Failing to turn it over to them or deleting it without their permission may get you sued, and rightly so. Unless your contract with the employer says you can ... you do have a contract, right?

  4. Remeber who is paying by elp · · Score: 5, Interesting

    I work for a shared website hosting company, our policy is that the entity paying for the site and the mailboxes owns them, in this case the company.

    How they choose to use the mail boxes is their business. Trying to override your customers idea of correct policy towards their staff will only cost you their business and the resulting bad reputation will hurt you.

    My sympathies if its your relative, you could always lie and say that the box was deleted when the employee left.

    1. Re:Remeber who is paying by JohnQPublic · · Score: 2, Insightful

      OK, now THAT'S unethical. You're outright lying to your customer. I sure hope my company never does business with yours.

    2. Re:Remeber who is paying by Glonoinha · · Score: 2, Interesting

      According to Kevin Mitnick roughly (insert large number here)% of all 'computer hacking' is done via social engineering. Why spend weeks or months on a distributed network hacking 4096-bit encryption when you can hire a 36DD-24-36 from the local stripper shack to get one of the guys to just tell her his password simply by pretending she likes him?

      Old story - a sys/admin at company I was doing consulting for was bragging on his security at lunch with me one day, I told him I could hack my way onto his network in about 5 minutes. We get back, he takes that bet. With him standing there watching (I was dressed in a suit, everybody there knew I was the consultant - that helps) I called the department manager on the phone, said 'I need your username and password.' He told it to me, I walked to an empty machine, logged in as that user with that password. Took me 2 minutes.

      --
      Glonoinha the MebiByte Slayer
  5. IANAL by orthogonal · · Score: 2, Interesting

    Does that company now have access to the email even though there is no written contract nor technology use policy?

    me look left
    me look right

    me still sees no lawyers.

    This is an ethical or moral or legal question (depending on your particular viewpoint).

    Slashdot, to the extent it's not a troll-fest and crap-flooder's convention, is a technical forum.

    That said, this techie's understanding of the relevant law is that an employee's email, as any other work-product, belongs to the company that paid for the email account and paid the employee for the time the employee spent producing the email.

    On the other hand, at one time and place -- Feudal Europe -- "employers" thought they also had the right of droit du seigneur too, so we shouldn't fall into the trap of believing that something is right just because it's legal.

    Perhaps by asserting that privacy trumps payment you'll be striking a blow for freedom that will be remembered, centuries from now, as the beginning of our liberation from employers who today claim that they can lock employees in warehouses, denying them medical attention or can strip search workers accused of theft.

    --
    Opinions on the Twiddler2 hand-held keyboard?
  6. Policy, policy, policy by Jon+Peterson · · Score: 4, Informative

    Hi,

    As resident information officer for my little company, I've had both legal advice (in UK) and experience of similar situations.

    First off, the paperwork you need to worry about is the stuff between you (3rd party email services provider) and your customer (the company). What the company did or didn't say to the employee isn't really your problem - although it is their problem.

    Now, ideally, your contract, or your services schedule would contain something saying just what happens in this situation. If not - now's the time to add it!

    I would think that if the company phoned up and said 'sorry to be thick but I've forgotten the password for account xyz can you reset it?' then you'd do that, because handling lost or forgotten passwords is what you as service provider do.

    And that, basically is what has happened. Now, it _may be_ that the company actually promised the employee that it wouldn't read their old email once they'd left (a somewhat odd promise anyway). But, that's not your problem. You aren't helping the company break its promise, because you don't know about it's promise.

    More importantly it's NOT YOUR PLACE to determine your customer's privacy policies. That's actually quite important because your customers are (under UK law) liable for YOUR decisions regarding privacy. In order to deal with that liability your customers need to know what you will do in a given situation, and simply turning round and saying 'sorry dude I'm not going to tell you that' isn't good enough. A privacy policy that's too strict is just as bad as one that's too loose.

    That last sentence may seem odd, but consider this. Your customer is liable under the UK Data Protection Act for any personal information it holds. Now, just before Employee left the company, someone sent a copy of their CV to Employee on the off chance of getting a job. Now, that CV is sensitive personal information, and Company MUST be able to access it and/or remove it if the author of the CV so requests.

    So, it's no good them saying 'sorry, we can't delete your CV from our mail server because our ISP won't let us, so I guess it'll just hang around on the hard disk for ages until some guy somewhere with a root password takes a look at it'.

    No good at all, you see?

    So, my advice is:

    1) Don't play 'privacy hero' and decide what your customers can and can't do.
    2) Get some data protection rules into your contracts asap.
    3) Meanwhile act assuming that the customer is honest and decent - if they aren't it won't be your fault, but if you pre-judge them as evil spying people then it will be your fault

    --
    ----- .sig: file not found
  7. How about ... by Anonymous Coward · · Score: 2, Insightful

    How about you make a (verified) copy of the mailbox in question and (secretly) keep a copy on CD. Send a copy to the employee. Delete the mailbox.

    Contact the company and say that as the employee was termintated you (following standard procedure) removed the mailbox and sent a copy to the 'mailbox owner', the employee.

    Say you may be able to recover some data if they have a legal case for it.

    You should then act on what they say, but you have something in writing to prevent you being sued by the employee for releasing personal data as you can counter sue the company for misleading you.

    No IANAL

  8. check with local lawyer. by gl4ss · · Score: 3, Insightful

    no other way to check it out.

    geez, why do people have to ask these things from slashdot?? ALL YOU GET IS OPINIONS ON HOW IT SHOULD BE, NOT THE CURRENT STATE OF THE LAWS IN THE COUNTRY YOU'RE IN.

    for example there are countries in which you CAN NOT read employees email legally unless you have explicitly said&informed that you will read it when you gave that account to him/her(or along those lines anyways, and it must have been very clearly said/informed to the person in question that the mail isn't private despite being protected by a password and seeming to be for his/her eyes only, otherwise it's the same as receiving a letter with the employees name at the office, falling under 'letter secrecy'.). same goes for other 'private' material like tracking calls against the will of the employee(even if the business is paying for the line)..

    one of the very good reasons for laws to exist is to make limits on what rights of yours you can give away... businesses don't come before people!

    --
    world was created 5 seconds before this post as it is.
  9. In Order of Importance... by fuzzybunny · · Score: 2, Insightful

    -The law. You should have a lawyer, as a company. Use "it". Law _always_ _always_ _always_ supersedes business arrangements, policies, whatever.
    -Your contractual obligations and anything you've committed yourself to. See #1.

    And you could argue about the following:

    -Your customer's needs, your conscience, your reputation, etc etc etc.

    --
    Cole's Law: Thinly sliced cabbage
  10. Dot some Is, cross some Ts by eclectro · · Score: 2, Interesting

    If you were in your relative's shoes, and he was the admin for the company, what would you want him to do for you?

    I think you could think of this another way. Do you think phone conversations should be private?? Would you want the company you worked for taping all your conversations??

    The company could be on a fishing expidition for all you know, looking for a way to get back at your relative.

    Corporate morality is nonexistant in today's world.

    If they owned the computer hardware, then they would have a powerful arguement for owning the emails. But according to your question, _you_ own the hardware.

    If I were an ISP for that company, I would tell them to get a court order. I would do the same if I were playing admin for them.

    I would respond to them in writing/certified mail that you need to protect yourself legally, and request politely that they do things "officially" and get a court order.

    If they decide to no longer use your services and let you go, then you never needed their business in the first place. I would send a letter to them acknowledging the cessation of a business relationship. Then _with out reading the emails_ I would delete them, as there is no longer a business relationship with the company, and you no longer need them for any reason. Don't tell them that in the letter BTW, just do it.

    They could threaten to sue you, in which case you no longer need their business. Call a lawyer. Have him send a certified letter to them explaining that you are immediately severing your business relationship and ask the lawyer how long you should hold on to the emails (I would guess thirty days, if not seven)and then delete them.

    If they deliver a court order, obey it, and hope that you have an honest relative. Have him get a lawyer in any event.

    Above all, keep yourself clean, honest, and do nothing that you will not be afraid to tell about in a court of law later without perjurying yourself.

    I Am Not A Lawyer, and this is not meant as legal advice. Get a lawyer before doing any of this It's just one pal chatting with another about opinions on how to keep your nose clean.

    If the bottom falls out, and everything goes to pot, sue slashdot for letting you ask the question in the first place before telling you to get a lawyer.

    --
    Take the cheese to sickbay, the doctor should see it as soon as possible - B'Elanna Torres, "Learning Curve"
  11. There are possible good reasons for this... by Anonymous Coward · · Score: 2, Insightful

    Most significantly, if the account was used for external business contacts, they'l like to continue the contacts, handle any incoming e-mail, etc.

    Really, it bouls down to how you see your "customers". Is it primarily the company, or primarily the individuals?

    I might forward any unread mail and set up a permanent future forwarding, but not provide the password to the mail account itself, so the company can't pretend that Mr.X is stll working there, but others can see that Ms.Y is taking over.

    Alternatively, bounce all of Mr.X's e-mail with a message to contact Ms.Y instead.

    If I felt there was something funny about the request and didn't think Mr.X was going to go on a vandalism rampage, I might have a quiet word with Mr.X before forwarding the e-mails. It's not like he couldn't have done anything he was going to do between the firing and the company telling you about it, after all...

  12. Only in America? by E_elven · · Score: 3, Interesting

    Looks like the courts in Finland just upheld a legislation barring an employer from reading employee e-mails. Couldn't find an announcement in English, nor are the translation tools too good, so you'll have to take my word for it. So they're faring well.

    --
    Marxist evolution is just N generations away!
  13. Think of Future Implications... by TheWanderingHermit · · Score: 3, Insightful

    1) Whatever you do will set a precedent, so keep that in mind. Saying "No" seems to your benefit, since saying "Yes" could set a pattern and they could expect more in the future.

    2) Have you actually told them you still have the data? If so, this may not have been wise. As long as they don't know if the data still exists, they can push for it. If they don't know, they're reaching in the dark. This may be a good reason to start a policy of deleting accounts whenever you've received notice an employee is fired or whenever a client stops taking your services.

    3) Get a lawyer. Why? This WILL be a precedent, if not for others, for this company. If they get what they want now, they may start asking to check everyone's email account and, eventually, they might go so far as to expect you to provide them with access to all accounts. You need to find out if you have a right to refuse the request. The best news that you could get would be a lawyer telling you that you either a) don't have to provide the data, or b) are not allowed to provide the data.

    4) As said above (2 times), this will set a precedent, no matter what. In my experience, whenever someone asks for a special service, that isn't the end. It's not long before they ask for a repeat, and, once they've broken down that boundary, they ask for more and more. If you do decide to provide them access, or you find out you have to give them access, if possible you SHOULD charge for the service. Otherwise, they won't see this as as an item with value. By charging, you are setting a limit and taking steps to make sure they don't just keep asking for and expecting you to do more and more for them.

  14. Re:Simply... by SuiteSisterMary · · Score: 3, Insightful

    Seconded. He who pays for it, gets to play with it. Period.

    If this company is paying for, say, five email accounts with you, and called up to say 'what is the password for account j.foobar?' then your response should have been 'Oh, of course! The password is: gorblat.'

    Period. It's their accounts, you don't know what they do with them, you don't want to know what they do with them, you don't need to know what they do with them, and so on.

    --
    Vintage computer games and RPG books available. Email me if you're interested.
  15. Conflicting answers by redelm · · Score: 3, Informative
    You will get conflicting answers because the expectations and understanding in this area is still evolving.

    Traditional UNIX sysadmin ethics prohibit snooping in email for any reason. Snooping files and traffic is similarly verboten, except debateably (ulimit) in the case of excessive resource usage. This was done to increase user confidence and frank discussions in electronic media.

    Current capitalist thinking is whoever pays, owns. This is pushed because email has proven to be very popular, frank and valuable. A victim of it's own success.

    Personally, I did snoop in my wife's email. That's why she's now my ex. Neither qualms nor regrets.

  16. Chances are good that... by stienman · · Score: 2, Informative

    I imagine the only reason you know about this is because you haven't given them direct access to set up and delete email accounts, or to change the passwords on them. Here is my advice:

    If the email is addressed to their registered domain, then they own the email.

    If the email is addressed to your registered domain, then who owns the email depends on the agreement you had with them. If you did not have a written agreement which discloses ownership of email sent to the addresses the agreement is written for then run don't walk, directly to your lawyer. At this point it becomes a you said/they said type of issue.

    You could simply tell them what your policy is after the fact, and follow through with your new 'policy' but if you favor your relative they may sue you, if you favor them your relative may sue you, so at this point it's best to stop and get advice from someone who can represent you if their advice goes awry.

    Lastly, send out a new terms of service to all current 'customers' explicitly stating your terms of service. Tell them that if after 30 days they are still hosting with you then that act shows they agree to the new terms of service.

    In the company I work for I regularily forward email accounts to the employee who is either taking over the old position or the employee who is handling most of the added workload. The simple fact is that a lot of work-related (and contract work at that) email is always in the pipeline, and a customer is not going to take, "We fired the employee and deleted their email for privacy" as an excuse for why we didn't respond to their request in a timely manner. Our employees understand this when they come and when they go. This forwarding is only active for a month or so, and we prevent any outgoing emails from being created in that person's name from our mailserver.

    -Adam

  17. Who paid? by jmlyle · · Score: 3, Informative

    That's really what it comes down to, I think. Whoever arranged for the service to be provoided to the employee and paid for it (or managed the relationship, if the service was free), is the owner of the data.

    I really don't like it either, but a couple of times I have been required to provide people's email to my boss, including a Vice-President. I had to do a little bit of soul searcing on that, but not a whole lot.

    Then I was, at another point, asked if I could archive all incoming and outgoing mail. I made a half-hearted effort, and eventually reported back that it wasn't possible. It was an ugly time all around in those days. At least I kept my job after 90% of the employees were layed off.

    But then again, none of these people were my relatives. I hated them all.

    --
    I have misplaced my pants.
  18. Wait... by pbrammer · · Score: 3, Informative

    You simply wait for a court order. That's how things work. Don't hand anything over without a court order. Simple.

    If they don't have a contract with you stating that their e-mails on your system are their property, then you don't have to give them anything -- unless some court feels you need to.

    Phil

  19. Too late by RMH101 · · Score: 2, Informative
    "there is no written contract nor technology use policy?"

    That's you screwed then. Don't do *anything* without your line management putting it in writing. You'd be opening yourself up to all sorts of legal nasties. In the EU, it's very thorny: despite AUPs to the contrary, people have still been charged for infringing the HRI by reading others email. Even if the AUP covers it mind: and also bear in mind any email that account's recieved from other people. They didn't sign any policy and so could argue that you've infringed their privacy.
    All this is closing the door after the horse has bolted: get a formal ToS written now by a lawyer, get everyone to sign it, and tread carefully.

  20. You have a conflict of interest by JohnQPublic · · Score: 3, Insightful

    Fourth, it's my relative's account.

    Even if for no other reason, you need to stand back and look at what you've done in the past. As a business providing a service for a fee, your company must treat this user's email the same as every other's. You're opening the company up for a justifiable lawsuit from the employer if you don't. Not only that, but you're establishing a precedent you'll have to follow in all future encounters with this employer and probably all others.

    If you have no policies or past precedents to follow, you need to forget that this person is your relative and ask what you'd do with any other user. Then do the same. Your company may still get sued for making the wrong choice, but you'll eliminate the conflict of interest problem. Just make sure you immediate document this new policy, at least internally, and follow it in the future.

    Even better, if you're not just a one-person company, recuse yourself. Give the employer's request to someone else to handle, and make it clear to that person that you have a conflict of interest and that they have the full authority to make whatever decision is consistent with past practice (and failing that, company philosophy and goals) without fear of reprisals. In writing, if possible.

  21. ACM Code of Ethics by drivers · · Score: 3, Insightful

    As an ACM member I will ...
    1.1 Contribute to society and human well-being.
    1.2 Avoid harm to others.
    1.3 Be honest and trustworthy.
    1.4 Be fair and take action not to discriminate.
    1.5 Honor property rights including copyrights and patents.
    1.6 Give proper credit for intellectual property.
    1.7 Respect the privacy of others.
    1.8 Honor confidentiality.


    Sounds like you should not turn over the email. I wouldn't.

  22. I bet you're not an Experienced SysAdmin... by Anonymous Coward · · Score: 2, Funny

    If you were, then what to do would be obvious:

    1) Open your relative's email account, scan through his email.

    2) Save off all the stuff you can embarrass him with at family get-togethers. Make special note of such terms as "snookums" and "little homer" or whatnot.

    3) Find anything illegal and make an encrypted copy. Accidently lose those backup tapes. Not that you are going to blackmail your relative, but you might be able to get some moral compensation for your time and effort by spoofing email from your relative to the sender/recipient, and recommending the purp pony up some money to your favorite charity or else you'll go 'public' with it. If your relative winds up with some broken limbs, so much the better - he should have never been dealing with such people in the first place.

    4) Then, flat out delete anything that makes _you_ look bad.

    5) THEN send the batch of email to the company. Replace CRLF with \0, then tar, uuencode, compress, and bzip with a password. Make sure you remove the filename extensions at each step, and tell them it's 'zipped', and you did the work on a 'Mac' (.hqx the thing for good measure). Then, sign it with a pgp key that's registered to a third-party public key server that no-one can validate to unless they live in Tunisia.

    If the company wants the information so bad, they'll get it, eventually.

    6) Finally, to lighten the mood, spoof an email to your relative's wife pretending to be his 'office girlfriend', telling him how much she misses their little 'get togethers' in the copy room. Hillarity ensues.

    There, now you know what it takes to be an accomplished Systems Administrator.

  23. How was this handled in previous technologies? by no+longer+myself · · Score: 2, Interesting
    OK, today we get so bogged down in the technological aspect that the obvious can get away from us. Here's my point:

    Mr. Former Employee
    C/O Old Employer Co.
    123 Industrial Way
    Anytown, NJ 12345-6789

    IANAL so I don't know the answer to this question: Who is legally allowed to open this envelope? I know I've seen bosses open the mail of departed former employees, look at it and say, "OK, I know what to do with this," and walk off, but the legality of such actions never crossed my mind. Find out the answer to this, and you've probably got your answer to the ethical dilemma around the e-mail question.

  24. Read the ECPA - this is covered by Animats · · Score: 3, Informative
    Read the Electronic Communications Privacy Act. This may raise some questions, but sending a copy of this section of the ECPA back to the company is likely to result in some serious thinking about the issue. The ECPA only allows disclosure to the "addressee or intended recipient", or the "subscriber, in the case of remote computing service". Who's the subscriber here?

    Clearly, though, you can obtain consent from the original addressee and then disclose.