Slashdot Mirror
63% Of Corporations Plan To Read Outbound Email
John writes "Aviran's place reports that a recent survey of 332 technology decision-makers at large U.S. companies reveals that more than 63% of corporations with 1,000 or more employees either employ or plan to hire workers to read outbound email, due to growing concern over sensitive information leaving the enterprise through email."
The funny thing is... well, not so much funny as it is disturbing, signing an employment contract.
Remember that signature on that thick paper you've signed prior getting that high paid tech job? The one saying that everything you think of during working hours is theirs? The one that maybe is saying (in some cases) that everything you think on and off during working hours, while employed or 3 years after also belongs to them?
Well, it seems to me, and I might be way off here, that thinking up an email by an employee is in fact his company's property and hence, they have all the rights to read it, and it doesn't breaks anyone's right to privacy.
Can anyone with legal experience enlighten me on this one? Do the bastards have the right to do so, provided that one doesn't sign a document that explicitly states "you can read my email" but instead contains a fine version of "all your bases, off lunch hours, belongs to us?
And it's all going to be done through a goverment agency call the Thought Police.
Next, Telescreens and microphones in every home!
Slashdot = ((Technology + Politics) / Trolls) % Grammar Nazis
Who do they hire to read the outgoing emails of the people they hired to read outgoing emails?
This is so far ahead of it's time I just don't know what to say...
I can't send more than maybe one or two MB of data through my email.
But I can easily shove a 1GB USB stick up my ass and walk out past the guards.
This isn't funny as it has resulted in more than one person being terminated because of what was called "inappropriate" material (meaning someone COULD have taken offense to it. Remember...Charlie is Watching!
I'm not a troll, but I play one on Slashdot.
For example if I include the name of one of my company's products plus "bug"/"flaw"/"crash" then I can expect a follow-up scolding from HR. (I found this out the hard way) Course that's cake compared to the other spying and practices that go on.
My corp uses AIM for internal communications, and I am really disturbed by this. I'm amazed the local admins have allowed this to go on. Basically all our conversations are going through AOL's servers and the internet, in plain text. And there is ABSOLUTELY no reason for this, since we're all on the local LAN.
I'm planning on setting up a jabber server on the linux box there, but it may be a chore getting employees to switch from AIM to something like gaim or trillian (does trillian support jabber?)
Nope, you are getting it all wrong, imagine the following: "And by this, my dear shareholders, our development team will know that their email is read, thus, reducing the time they spend on writing non-work related emails to minimum... and..." :) Management 101 = "everything is magic"
Well, the gut reaction is to say this a bad and terrible thing (also a bit silly, as it seems to me that anyone with any technical know-how would just use internet-based mail to get sneaky anyhow), but really, if you're on their payroll, isn't it well within their right to make sure you're not doing damage to them?
At the very least, it seems like a good way for the companies to weed out the idiots who would be stupid enough to send questional material through their servers.
Yeah, it sucks to be being watched and not trusted like that, but this shouldn't outrage anyone. They'll probably reverse their policies when the costs of something like this start racking up with nothing to show for it.
IANAA, however I've been negotiating my own employment contracts for years. I carve out broad exceptions for any work I do offsite, without their equipment, and not under their direct orders. I also include a phrase exempting any pre-existing intellectual property. I also usually strike any anti-whistleblower clauses. So far, none of these changes have ever stopped my employment.
As I recall, the right to privacy applies only when and where one has a reasonable expectation of privacy. If you're in your employer's facility, on their equipment, using software licensed to them and interacting with servers owned by them; you've no more expectation of privacy than you do on a CB channel. Their ability to check your e-mail is roughly analogous to the rules that enable you to record phone calls in your own home if you inform the person who calls that they are being recorded (rule varies from State to State).
As with most draconian Big Brother initiatives this one won't work. What's to stop employees from just logging into a private webmail account over HTTPS and sending information out that way? Unless employers block browser access, search people for USB keys, iPods, floppies etc there's a dozen ways information can be leaked out of a building.
One of these days I'm moving to Theory - everything works there
Having just read everyone's e-mail I know, I would be GREAT for the job. Where do I apply?
From: steve@apple.com
To: paul@intel.com
Subject: Execute Order 66
Dear Paul,
let's do it,
signed
Steve
Really. This wouldn't affect me in any way, because I never use work time for personal business, and I like my boss! He's so clever and intelligent.
I bet even ROT13 "encryption" would defeat the corporate censors.
The Internet is full. Go Away!!!
A recent survey of 332 technology decision-makers at large u.s. companies reveals a growing concern over sensitive information leaving the enterprise through email and through USB memory sticks hidden in their employees ass.
In its 2005 study on outbound email security and content issues, email security vendor and ass searching expert Proofpoint found that more than 63% of corporations with 1,000 or more employees either employ or plan to hire workers to read outbound email and search their employees ass when they arrive and leave from work.
Tat Tvam Asi
This is oh-so-wrong on too many levels! One (that's too many.)! There are so many ways for employees to betray a financial or corporate trust. Likewise, there are many ways for an employer to betray a trust. This would, in my opinion, be one of the most onerous with many potential avenues for backfiring.
Consider the disgruntled or dishonest employee. Think they're intent to betray a company is stopped by this policy? Not a chance! This kind of "policy" would only bolster a disgruntled employee's rationalization/justification, etc. to follow through with betrayal. They only need choose some mechanism other than e-mail and there are many.
Now, consider the neutral employee... a policy like this could create a tipping point and generate resentment enough to give cause to consider doing something subversive to a company. After all, the company, by fiat, is essentially assuming an employee is "up to something".
Finally, consider the loyal employee (how many of those will there be after widespread policies like these?)... A quick glance around and loyal employees may begin to wonder what end from loyalty....
No, this is just plain bad policy.
Or at least they used to. I worked at Bell Labs in 1997 and one of my co-workers was escorted out of the building by security. He was discussing one of his projects with someone that he went to grad school with via email. It's not like he was selling info to a rival company, but he broke is confidentiality agreement and they fired him.
What's funny about this is that I told him they recorded every keystroke on the UNIX boxes (no one used Windows except for Word and Excel) and that they had a visible and hidden copy of the log file so they could compare. They probably had a third, but I only found the first two.
In today's companies, I find it amusing that they would claim to hire people to sift through outgoing email. My company won't hire people to train internal staff to do their jobs. Instead they pay people to correct the mistakes. It's a joke.
I've had to read peoples' emails when HR asks for emails related to a specific topic (usually legal), and I can tell you it's like washing someone else's laundry: it's voyueristic at first, but after a while, it's just dirty laundry.
Ummm, Jon, aren't you supposed to be dead...? - Otter(3800)
The people who were hired to read the outgoing email of the first group of people hired to read outgoing email have been sacked.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
...will begin reading their incoming e-mail.
My comments are my own, and do not represent the views of my employer, my spouse, my children, or my cats.
I'll explain to my shareholders why I wasted $50 or so thousand a year paying an employee or two to check email.
And while I'm doing that, you can explain to your shareholders why the company lost millions of dollars on a new product because someone inside the company sent company secrets to a competitor.
Or you can explain to the shareholders why the company is now paying a multimillion dollar settlement for sexual harrassment via an employee's email.
Paying someone to read email is vastly cheaper than the alternatives. If you drive 20 years without an accident, do you consider the insurance payments you made to be "wasted"?
In addition, employers don't need another trick to sack an employee. Unless you signed a very unusual contract, or you are an empoyee that is covered by a union, your employer can already fire you because the sky is blue, the grass is green, or they didn't like the color of your socks last Tuesday. Most tech employees are hired "at will". They can be fired just as easily.
Finally, as far as privacy issues go, you have no privacy on work place computers. The company owns the hardware and software and pays for the power to run it, you don't. And in the United States, there are multiple Supreme Court rulings to back that up.
I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
I once worked at a small software firm (50 emplyees) and we "merged" with a larger one. What was once an open workplace of mutual respect quickly became one location of seemingly untrusted drones. The new corporate office demanded a firewall, so they could watch what we visited. They snooped people's Exchange folders. Etc.
It had never occured to me to betray my employer. But when they started treating us as untrustworthy, my fellow admins and I came up with all manner of methods to thwart the security measuress. It helped, of course, that we were privy to those measures, which we were sure to disclose to fellow workers who had no idea.
And you'd better be *really* thorough with that Acceptable Use Policy. :) Sure, you can watch what I visit on the web, but it may only *seem* innocuous. One user on the inside may be sending weird HTTP requests to a legit-looking site. But in reality, those requests are lines of an ASCII armoured PGP file (properly URL-encoded, of course).
I don't care if it's the company email server, on company time, yadda-yadda-yadda. And I don't care if the ream of paper I signed to put food on the table gives them the right to records phone calls, archive email, and takes ownership of portions of my brain -- 'cause they *all* do it these days. It's not outright collusion, but the end result is pretty much the same.
If the company expects me to interrupt home/private time for their beneift, they'd better damned well respect my privacy on the job, because there's little time to tend to personal affairs requiring 9-to-5 services otherwise.
"That badge don't make you right."
Method of processing duck feet
On the other, this just means smaller companies will get better employees who don't want to be drones. That's one of the reasons I started my own - I hate oversight, and am bad at playing employee.
On the gripping hand, ethics are important. And they're hard in large companies. To some extent, if you're a large corp, you need process in place of understood ethics, because the former is enforcable and the latter much less so. I still think the balance tips to small corps. But then, we can't turn out replacement Apple CPUs, so our role is constrained.
I forget what 8 was for.
Believe or not there are actually at least four different bases on which you could (but probably won't be able to successfully) argue for a right to privacy with regard to email communications sent from work:
(i) The Fourth Amendment to the U.S. Constitution, which reads: "[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures" -- but which only applies toward government action (although some pretty surprising apparently private actions can qualify as "governmental");
(ii) the Electronic Communications Privacy Act (ECPA), which covers email, and prohibits "(1) unauthorized and intentional 'interception' of wire, oral, and electronic communications during the transmission phase, and (2) unauthorized 'accessing' of electronically stored wire or electronic communications." -- but allows exceptions for companies which provide internet service, and does not apply if the employee consents to ECPA violations;
(iii) State statutes, which obviously vary wildly from state to state. The article that I'm using as my primary source notes that " Members of state legislatures have attempted to pass bills that would strengthen the protections of workers against electronic monitoring in the workplace, but they have generally failed because of sustained and effective corporate lobbying." (*mweheheheheh*).
(iv) Common law (which also varies from state to state) which sometimes recognizes an "actionable right to privacy" -- but under different caveats in each state.
Ummm . . . so yah -- it's complicated, so much so in fact that it's an open question in various states whether or not its legal. Also -- not surprisingly -- the legality of the monitoring will often depend on the purpose of monitoring, the purpose of the communication, sometimes even the industry you're working in, etc. Good luck figuring it out -- especially if you signed a (now practically standard) agreement allowing your employer to snoop through your work emails at will.
Generally, when the law is this fuzzy, corps will do whatever is in their best interest, and count on their lawyers being better than your lawyer if you sue. They're generally right. So assume that your workplace email communications are being monitored. We are the point now that it is never a good idea to send via email something you wouldn't mind all your colleagues seeing. Use Yahoo! or Gmail and at least make it a challenge for BigBroCorp to keep tracking of your on the job dicta. Of course, sending risque stuff from your workplace email may be your chance to be famous. Hehe.
Regards,
Moiche
The people who sacked the people who were hired to read the outgoing email of the first group of people hired to read outgoing email, have been sacked.
Raise your children as if you were teaching them to raise your grandchildren, because you are.
Hellooooo encryption. *nods head*
Hello reprimand or unemployment. *shakes head*
Yeah, make sure look like the person leaking company info or products, draw attention to yourself as someone who needs more surveilance.
Here in the state of New South Wales, our workplace surveillance laws have just been amended to specifically address this issue. By law, employers are now forbidden from carrying out covert surveillance of their employees, whether by email, phone, video camera, or anything else. They need a court order and a reasonable suspicion of wrongdoing before an employee can be monitored. See the following report from AAP (Australian Associated Press).
NSW: Employers to risk charges for spying on worker's emails
Wednesday, 04 May, 2005
Content provided to you by AAP
SYDNEY, May 4 AAP - Employers who read workers' private emails may soon risk criminal charges with legal safeguards being introduced today by the NSW government.
NSW will be the first Australian state to outlaw unauthorised spying of employees using technologies including video cameras, email and tracking devices with the introduction of the Workplace Surveillance Bill 2005 to state parliament today.
The new laws will make it a criminal offence to take part in any form of covert surveillance unless an employer can prove they had reasonable suspicion of wrong doing by an employee.
"While some employers argue that this is necessary to protect their legitimate interests, employees expect that their private correspondence, like their private telephone calls or private conversations, should never be the subject of secret monitoring," NSW Attorney General Bob Debus said in a statement today.
"We don't tolerate employers unlawfully placing cameras in change rooms and toilets. "Likewise, we should not tolerate unscrupulous employers snooping into the private emails of workers."
The new laws will strike a balance between an employee's right to privacy and the legitimate needs of employers to protect their intellectual and commercial property, he said.
"Unless employers have a court order, they would need to give employees notice that surveillance will be conducted," Mr Debus said.
Indeed! Especially when you've probably signed an employee contract allowing them to do that.
Signature.
I work for a life insurance company and just wanted to point out that any information systems that contain or have access to EPHI (Electronic Protected Health Information) are bound by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which specifies in more than one part that measures must be taken to ensure EPHI is kept confidential. This INCLUDES monitoring outgoing e-mail. My company is small, our IT department consist of 4 programmers, a network admin, 2 help desk people, a production operator, 3 business analyst and a manager. We don't want to be bothered with this crap, but we are obligated by law.
Thanks for ruining the movie for me. Well, at least I still don't know whether Anakin will go to the dark side or not.
I keep seeing posts on Craigs List in the "Gigs" sections titled "Get paid to read email" but they are usually deleted by the time I read the the posts through my RSS feed. Maybe this is what these are all about: companies can outsource their email reading to an overseas Asian country, that'll really keep security nice and tight!
"you've no more expectation of privacy than you do on a CB channel."
Might as well go all PsyOps on their corporate asses then.
Have some outside dummy accounts you can send email to. Send messages full of glowing comments re: boss & company, and others that refer to a mysterious dark conspiracy that haunts your past. Something involving genetic experimentation, a mad European scientist, and a mysterious Brazilian clinic.
Then the week before you quit, start sending mysterious messages encoded in pig-Latin.
"The owls-nay are not as they eem-say."
Why do I think they have a right to? Simple, I have to trust them with my personal financial information as does practically anyone who uses a credit card, thus I want them to protect it. That protection is an obligation, not an invasion of my own or anyone else's privacy.
Furthermore encrypting doesn't necessarily protect your privacy on a work computer.
Encrypting only stops them from decyphering what was sent, not what was originally created as it was in the process of the creation. With a solid security scheme in place, I expect the system records everything and flags long numbers, curse words and clipboard pastes. I certainly hope it does anyway.
Bottom line. Don't trust anything to be secure unless you own the box and know how to keep it secure yourself. Even then, assume somebody smarter than you might figure out a way past it and try to keep the damage potential to a minimum just in case.
B) Eliminate all the stupid users. This is frowned upon by society.
1) Encrypt it
2) Have your signature include a (c)2005
3) and if the break the encryption, they are violating the DMCA. 4) ??? 5)Profit!!!
Watch for Penguins, they eat Apples and throw rocks at Windows.
If I can't send an e-mail to my wife from work saying "what do you want me to buy at the grocer's at the way home?", then it's only fair when I ignore anything job-related as soon as I exit the company building. But this is of course absurd, and companies all the time expect people to carry over their work problems into their spare time -- read stuff, talk to people, etc. If it's OK for the employer, it should be also OK to let me send a few private e-mails from work. Otherwise, it's not fair.
"Long run is a misleading guide to current affairs. In the long run we are all dead." (John Maynard Keynes)
"The SEC also gets rather in a huff if traders are not closely monitored for violations of sections 16 and 20 of the Securities Exchange Act"
:-)
I've only been in a situation one time where this applied to me, with any degree of risk. Early in 1986 while working for Haynes & Boone, I knew about the takeover bid for Safeway. This wasn't revealed to the general stockholders/employees until the next quarter -- when they started receiving litigation documents and tender offers and stuff like that, that we were already preparing.
At the time, I didn't have any money or even much of an idea what could be done with this kind of information, but it was certainly made very clear to me that it would be a Very Bad Thing to discuss the minimal information I had with anyone outside the firm, or to do any trading based on the information. I'm sure at the time, just the idea that I could lose that shiddy job was enough to keep me honest. The only thing I was really aware of, was that I was part of the process of making a whole lot of people lose their jobs, and asking them to sell their stock at rock bottom price (or risk holding it to zero, I suppose). I remember it didn't bother me at the time, because I perceived these people as being in a higher class than I was in, what with their good jobs and having enough money to buy things like stock in a company. Hell, they probably owned late model cars, lived in houses, that sort of high-falutin' lifestyle. Here I was with a college degree working for a bunch of Texas assholes, not even making enough money to meet my modest expenses. In other words, I was in exactly the kind of position that, had I known how to do it, I could have been pushed into the sort of rebellious mode where I might have taken advantage of this. I mean, I can tell you for a fact that same year, I drove drunk, discharged a firearm inside the city limits, smoked marijuana, and jaywalked (on the way to the courthouse to pay a traffic ticket, I got a ticket for jaywalking!) So the slippery slope theory practically *required* me to do some securities fraud, right? Well, I didn't have any idea about that sort of thing, and I didn't exactly have a whole lot of money anyway. So I guess it's a good thing... Jeez, I just remembered, that was the same year I applied to the police department (I was desperate), and they almost took me! Holy cow.
That Michael J. Fox movie wasn't out yet, or "Wall Street" with the Sheens, but I must admit, after seeing that movie I fantasized about getting rich through questionable means
(If my employer is reading this, I have since rehabilitated myself and can categorically assure you that I entertain no such notions, nor would I act upon them, were I in a position to do so.)
(If you worked for Safeway in 1986, I'm really sorry. I was too much of a punkass to recognize a human face on that paperwork.)
-fb Everything not expressly forbidden is now mandatory.
In France, the situation is the following: A corporation can anly read emails concerning business. The emails sent from a corporate email account but concerning private matter can not be read. The problem is: how can companies know if an email is a business or a private one ? AFAIK, in France, we often are asked to put a special word (eg: private or personnal) in the title in order to avoid scanning.
le souvenir d'une certaine image n'est que le regret d'un certain instant (M.Proust)
However, in a company setting, this is no problem, as the company can easily set up its own certification authority, and install the CA certificate in all its employee's browsers as part of the standard installation procedure.
You are describing something called a "man in the middle attack". Easiest way to defeat this one: Download the certificate at home and take this one with you to the company and install it there. If the company has an SSL interceptor, it will surely ring the alarm bells.
It will also ring the alarm bells if the certificate you downloaded at home is tainted by the home ISP's SSL interceptor though. But at least you know that one of your points of entry into the internet is 0wn3d.
Less likely, or do you let your ISP set up your computer for you? The attack is only possible as described if the attacker can somehow install the root CA certifcate of his CA into his victim's browser. That's trivial in a corporate setting, but more difficult for an ISP.
No, but the keystroke logger still picks it up.
"You're never ready, just less unprepared."
This is absolutely the number one security breach today, actually, and it's internal as external. Oh, you don't have access to that directory on the company's intranet? well, let me just email that document to you...
Companies do need to protect themselves. There's some very interesting development in that area, in fact. http://www.vidius.com/
Company secrets leaking out through email? Hell. 80GB walking out, as per company rules, in my backpack every single day.
I used to work for a university in the MBA school. In order to get the best possible professors for our students we had to allow them to do consulting for large companies on the Uni's time as we couldn't afford to pay them what the going market rate was. This practice was regulated in that they could only spend 30% of their time consulting and they couldn't use any of the schools recourses (IE letter heads, websites, secretaries etc..). Now on the face of it this worked well for both parties as we got the best from industry plus the profs got the salary they had come accustom to. However, as human nature would have it, the profs got greedy and started abusing their position and students started to take notice that the very expensive course they had just paid for was suffering. So as IT we were charged with implementing all sorts of monitoring to gather evidence of these facts to weed out bad apples, otherwise the school would go bust and 100's of people would lose their job. The loss of privacy I can live with, the loss of a single mum's job because of a greed fat man I can't. If faced with that decision again, I would make the same choice in a heart beat.
There is also another good reason for this which is not entirely related to sensitive information leaving the company via company email and that is the sexual harasment/bulling. It is necessary to monitor email to limit this kind of activity before it blows up in your face. We recently did a audit of email boxes and found that 60% stored what would be considered (by law in Australia) as a offensive amount of porn that the company could be and would be held laibale for. What was worst was massive internal/external mail groups that were being sent to. I have no problem with porn (of the legal kind) just view it and send it on your own time. No one likes to see you spanking it at your desk!
It said "windows 98 or better" so I installed Linux
Anyone using someone else's communications technology should not expect their communications to be private from the owner of the technology. This includes phone, email, SMS, etc. I take it for granted that if I'm on the phone with someone there may be a lineman down the block testing the phone lines and may overhear part of my conversation. I don't believe my employer is currently reading my email, but I totally believe in their right to do so.
The only reason there aren't more employers monitoring email is simply due to a lack of manower to do it.
Bottom line: never assume privacy. Only assume better privacy by actively employing measures yourself. (pgp etc) And of course if you're using pgp on on your employer's computer, isn't that a major false sense of security? (if it's not owned by you, consider it 0wn3d)
I work for the Department of Redundancy Department.