Slashdot Mirror
US Firms Read Employee E-mail On a Massive Scale
An anonymous reader writes "In its fifth annual study of outbound e-mail and data loss prevention issues, Proofpoint found that 41% of the largest companies surveyed (those with 20,000 or more employees) reported that they employ staff to read or otherwise analyze the contents of outbound e-mail. 22% of these companies said they employ staff primarily or exclusively for this purpose."
I also monitor your web traffic, now get back to work!
No trees were harmed in the posting of this message. However, a great number of electrons were terribly inconvenienced.
It may be just me, but I get really suspicious when a company in any business sponsors a survey and then uses the results to justify their own existence.
Particularly for the Slashdot crowd? Hell, a portion of the readership is probably responsible for helping to implement such measures.
Don't use your work email for personal stuff. It was never a good idea, and it's becoming ever less of a good idea. Don't say anything in an email that you wouldn't say in person or in writing. Be professional.
Also, don't forward chain letters, don't send around forwards of kitten pictures, pr0n, jokes, political screeds, etc. etc. Most people don't want to get it and you're wasting bandwidth.
I hope people realize this is evidence of how reasonable it is for a company do monitor your e-mail rather than acting like they are being violated. You can't chat online with babes all day.
Whale
Where I'm at I'm lucky if I can get anybody at all to read my email. Especially my boss.
Wow. So those 'I read your email' T-shirts are for real then.
Give a man a fire and he's warm for a day. Set him on fire and he's warm for the rest of his life.
I had a boss who told us when we started that everything we did at work would be monitored.
I didn't realize the extent of their monitoring! In the contract, it simply said 'all available facilities will be used to monitor employees while working'. I figured they'd check my email once in a while. They read emails, login/logout times, tracked employee positions (cameras in the office! A friend of mine was fired for taking breaks, when he went into his 'final' meeting, they showed him a time lapsed video of himself!) and recorded phone calls.
All this would come up only when they had a problem with your work - If you produced results, they didn't care what you did otherwise, but if you weren't getting sales, they found some other reason why you were doing poorly...
I spent 2 weeks skipping breaks and working through lunch trying to get a big (BIG!) contract and I was asked by my manager to do try to get this contract. I spent the rest of my time trying to make some money in the meantime... and I was brought into the office one day and they presented me with the emails I'd sent to my wife during those two weeks and told me that I was wasting company time. I told them they needed to look at the cameras to see I never left my desk, and to check the phone tapes for the last week to see that I was working hard. Turns out they only saved the conversations for a day or two...
I never got 'disciplined' for poor results after that.
I would imagine that that breaks down to 100% running scanners against email and maybe looking at flagged messages and 0% routine reading of email.
Given the tedium of slogging through just my own email, you couldn't pay me to spend all day doing that for other people.
What I'm listening to now on Pandora...
All this does is prove that you can't trust people who work at big dumb companies. They can't tell you what they really think by email, so you have to assume they are lying to you. It's amazing that 41% of these companies admitted to the practice after the whole HP scandal.
problem solved.
wow, talk about a non-issue.
Gone!
Dear Sir
I would like to apply for the job of Chief Sneak and Tattle-tale at your company. I believe I have the relevant nosiness, curiousity and contempt for my fellow employees, along with an over-riding ability to toady to management. I also love lauding it over other people that I know their business.
Of course companies are going to monitor information being sent out over their internet connections. They would be crazy not to. Want privacy? Email on your own time and your own dime.
Power does not corrupt - power attracts the corrupt.
The US will generally allow you to renounce your citizenship. I think you might need existing citizenship from another country to do it though.
Nerd rage is the funniest rage.
What they didn't mention in this is how many of the companies with more thank 20,000 are legally *required* to monitor e-mail. In the financial services sector it is very common to have dedicated staff to perform this function. I would have loved to have seen that number but I can understand why they didn't include it in the interest of cramming a few more ads on that page.....
At work it's ok to chat with friends, in moderation, as long at the work gets done.
Even with that policy though, when I chat with my wife or friends when I'm at work, I use Off The Record to encrypt my conversations.
It helps that my wife and brother Adium which already had it installed, and that I use a Linux at work which has packages in the repository.
And when I do send emails from work it's from Gmail, and always with https.
I figure that the work email is for work stuff, and they can monitor their business stuff all they want. For my personal stuff, it's personal and I'm not going to give them the chance.
https://www.facebook.com/digitizeicm -- Show your support for the digitization of the Iron County Miner newspaper archiv
Some countries, like Canada, treat email like paper mail, and you need a court order to read an employee's email. If you can't trust someone, don't employ them!
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
Our company has had to set up some email filtering and archiving. Why?
A receptionist for our company was fired for sending out bulk pornographic email, including video. He has done it for months. He's suing us, because he claims he was fired because he is gay. We only have a few of those emails that he send on backup because our backup only goes so far, will it be enough to not have to pay him big bucks and rehire him?
An accountant was fired for gross incompetance. She fouled up our main systems, needed her password reset with the Feds at $100 a pop several times a month, etc. Finally, she comes in and demands to work 30 hours but still get 40 hours pay. She was fired after a public tantrum. She is suing us, because she is black and claims racial discrimination. We need a LOT of documentation to back up our claims that she wasn't a good employee, because she can just say we don't have enough black people, and that can be considered proof of discrimination by itself.
We are heavily regulated about customer information. If someone emails out another persons personal information outside the company, and it makes the news, we all suffer. We have to monitor for that too.
We have to take preventative measures to block bad language from coming in and going out. We can get sued because an employee called a customer a f*cker in an email, or because someone saw a dirty joke on someone else's screen (sexual harassment).
Laws were written up to protect the "little guy", so now we have to prove to government agencies that we have made accurate hiring and firing decisions. We have to support our claims, and take preventive action, because there are so many ways that we can get screwed by employees I can't even count them.
This week we had to let someone go because they came up short by $750. We had two people dedicated to figuring out what happened for two days. We spent a lot on money and time, and we are looking forward to the inevitable lawsuit. We have email to back it all up, and because of procedures we have in place, the emails are professional and straightforward, instead of causal and possibly derogatory. It took us a while to get here, but yes, this is what you asked for. By increasing our risk through lawsuits and regulatory compliance, we have to manage that risk by monitoring our employees.
Go swear to your friends at home.
Small companies? One admin who does email in addition to everything else. Mid-sized companies? There's prolly one, maybe two dedicated admins, and they're more interested in using your emails as a means to track SMTP problems than in reading what's in 'em.
Large corps? Heh - you're just begging for attention if you start flinging around abnormal-looking SMTP traffic; esp. in really big companies that get a touch paranoid about such things as corporate espionage.
You'd be better off risking the attention of the proxy-minders with webmail than by dicking around with encryption on your email client. Using the proggies you linked to also tends to stick up like a sore thumb in any workstation app auditing... and you could conceivably get fired faster for loading unauthorized software onto your corp-issued equipment than a quickie email to your girlfriend describing in graphic detail at what you want to do to her when you get home.
Besides, most email admins have better things to do than grep emails (e.g. battle spam, figure out and fix bounces from remote mis-configured servers, curse at Verizon's RFP-non-compliant configs, keep enough inodes handy in /var, pound the load averages down to something sane, beg the powers-that-be for decent equipment, etc).
Unless your corp specifically has good reason to be ultra-anal about security (e.g. gov't contractors, Microsoft/Intel/IBM-sized corps, etc), then monitoring user emails with anything beyond simple log and traffic grepping tools is a waste of resources and time. Any company that spends more time watching their employees than their customers is a company that isn't long for the world these days.
Quo usque tandem abutere, Nimbus, patientia nostra?
That's why God intelligently designed the French Foreign Legion. Do your time under assumed name, and gain French citizenship under that name -- or go back to your home country with your real identity intact if things don't work out (well, work out well enough that you don't get splattered across Algeria).
One of their duties is guarding the ESA launch site in French Guiana, so some Slashdotters might be into that. Plus, working out and is a lot like "leveling up," as our friends at XKCD remind us. Just think of it as a real-life RPG.
Large corps? Heh - you're just begging for attention if you start flinging around abnormal-looking SMTP traffic; esp. in really big companies that get a touch paranoid about such things as corporate espionage.
There is an implied point here that deserves highlighting.
The people who are employed specifically to analyse outgoing mail, aren't looking for you emailing your girlfriend during working hours, forwarding chain letters, or calling your boss names. They're looking for the folks whose "inappropriate" mail will cost the company big $$$$ - corporate espionage, sexual harassment, etc.
Most people will never be in position to be monitored thus, because they'll just never be "important" enough.
Who watches the e-mails of the people who watch the e-mails...
1) Work for companies with over worked and under-budged IT departments who fight fires daily and have no long term plans - These companies are highly likely not to have any time to be reading your emails. Hell, you'd be lucky if the mail server stays up all week.
2) Write emails in foreign languages. In North America this works well, where so many people only speak English. Alternatively, teach your loved ones to use encryption in emails.
3) Use a fax machine. I know, waste of paper, but most companies don't have technology implemented to sniff/wiretap fax transmissions.
4) RDP to your home PC and write an email from there to your loved ones.
5) Make calls from conference rooms instead of your desk. This won't work if you call people daily, but its good if you need to make personal calls once a week or so. At the very least, it won't show up on your phone's call log, or the PBX's log about your phone.
6)If none of these are an option, you are working for a company that doesn't respect your privacy. Stand up for yourself, and go find another job.
No trees were killed in the making of this post; however, many trillions of electrons were horribly inconvenienced.
....que nadie entendeis cuando escribes asi; Especialmente cuando deja a deletrear palabras correctamente asi que no traducen. You, sir, must be a terrorist.I always told my employees that as long as they got their work done with good quality and on time, we would get along just fine. If they abused that trust they might get a warning but only once. And you know what? It worked. I've had very little turnover and high morale and my employees really worked hard. Sending a few innocuous emails to a significant other doesn't qualify as a breach of trust. Looking at porn in the workplace would be a firing offense. It's really all about what is reasonable.
reading the posts here definitely reminds me of numerous scenes from the 1985 movie, Brazil...
And opening themselves up for privacy lawsuits. Hmmm... get an email from a parent concerned about health issue X you are experiencing (unbeknownst to your employer). Employer finds out and terminates employee or boss uses it for leverage for extra work/projects. According to Mark Rasch from SecurityFocus.com, it's not as clear cut as one might think. Varying laws in the USA from State to State make the issue even more challenging. From Mark: "In many states, the same law that prohibits the interception or recording of telephone calls also prohibits the interception or recording of electronic communications without the consent of all parties."(Reference: http://www.securityfocus.com/columnists/412).
Talk about a confusing issue. You require outright consent from employees AND the party your emailing. Period. No exceptions. Simply stating 'we monitor all emails' will not hold up in court - should it ever come to it - you need permission from that individual employee - or all employees and have a readily available record of their consent.
If what I'm reading is correct, its far easier to leave your emails alone, and then search if you have an issue with court permission, than it is to be actively reading emails.
Management is doing things right; leadership is doing the right things. - Peter F. Drucker
Trust me - if the email admins noticed you, Joe Low-Level Employee, shuffling encrypted emails back and forth, you'd be frog-marched out of the corp faster than you can say "WTF?"
Have you considered, perhaps you're being a tad hysterical here?
I work at one of those "ultra-anal" defense contractors... a biggun... and know our IT processes quite well, including the realities.
They don't "frog march" people out the door for those sorts of things. Actually, the IT security guys are lucky if they can get engineering to pay attention to them at all.
Except in SCIFs, then it's a different matter.
C//
I work for a large (300,000+ mailboxes) company in the financial industry. I happen to work in the electronic communications group as a systems architect and my specific area of expertise is the design and implementation of systems that monitor email and IM conversations of employees. At a high level there are two major reasons we have systems in place that monitor these types of communications:
1) Because my company is a SEC & NASD registered company we are *required* by law to both actively monitor (in some instances we stop emails mid stream and hold them in a queue until a reviewer approves them) and archive all email/IMs of all employees who carry a license with those organizations. To not do so would be considered criminal activity and we would incur huge fines (hundreds of millions of dollars). We've been fined before; those fines were creatively structured to require that we invest XXX millions of dollars into systems that allow us to meet the requirements. A very basic example of the type of thing we monitor for are indications of insider trading. More than one broker has been let go after being caught trading unethically.
2) The second major reason we monitor electronic communications is to limit the liability of the company by halting the distribution (usually unintended) of non-public information... also known as NPI. A basic example of the types of things we monitor for are things that impact the financial well being of our customers (both people and business customers) such as account numbers, SSNs, passwords, insider company information, etc. Everyone who works at my company is subject to this second type of monitoring.
Naturally having these systems in place opens those who are being monitored to having their communications scrutinized for other types of violations... namely violations of corporate policy. i.e. use of profanity or other behavior deemed inappropriate and not considered behavior that is acceptable as representative of the corporation's image. We do actively scan for these types of issues, but generally just file the information away in case it triggers a customer complaint or is identified as repetitive and needs to be addressed by a person's manager.
I don't want to discuss the products we're using today because that is proprietary information, but I can tell you without a shadow of a doubt what direction the monitoring industry is going. There are already a handful of companies who can actively monitor data using a common set of rules/policies at ever layer of the infrastructure. There's a company called Orchestria, for example and who we have been talking to recently, who through a centralized policy engine can monitor literally everything you do on your computer through agents installed on the desktop, agents installed on IM gateways, agents installed on mail servers, agents installed on proxy servers and a border agent appliance that ideally sits in the DMZ that will perform packet level scanning and can block literally anything that it can read from those packets... going as far as to block encrypted data or brute force hack encrypted data on the fly and hold it in queue until it is scanned.
Scary right?
It depends on who you are I guess. As a technical person and admitted nerd I think that's cool as hell. It's the conspiracy theorist in me who is scared.
A friend of mine at some big name bank sent me some intersting e-mails about the possibility of said big name bank being taken over by other big name bank.
Interestingly he's been blocked from sending e-mails now but can still receive them!
I work in a smaller business (one of those shops where I'm the only only doing both the email administration and pretty much all the other computer-related stuff). What I tend to see is employees *receiving* non work-related material, not so much SENDING it.
Some employees don't even have a home computer with Internet access, so all their friends start sending their "funny photos", jokes, and so forth to the only contact address they can find for the person - the work email.
You *could* "blacklist" those people from sending you things, but come on! These are the employee's friends or relatives. They really don't want to block everything they might send them, because sometimes it's relevant or useful.
Did you even read the links? You aren't loading an executable of any kind. Those are instructions for placing a S/Mime certificate in the correct place so the "proggies" you use already can find and use them. The same can be done with Lotus or any other decent email client produced in the last 5 years or so.
Frankly, if you're doing any sort of business at all, and you AREN'T using encryption... you're an fool. Economic espionage can wipe out your business.
I agree with much of what you're saying. But I'd also point out that email *filtering* and *archiving* are two vastly different things.
It seems to me that practically all of the issues you're bringing up could be handled successfully by retaining good email backups, going back for a reasonable length of time?
Our company doesn't do anything special in the way of attempting to read employee's emails or filter their content. But we DO have backup systems that dump copies of all the mailboxes onto nightly backups, and we keep a couple alternating "month end" tapes, plus a "year end" tape that's archived away.
This way, if something actually comes up, there's a decent amount of supporting email evidence that can be retrieved for that specific situation.
Otherwise, employees have a general expectation that nobody's monitoring their daily email correspondence in a "big brother" fashion.
What I still don't get is why things like web surfing etc. are necessarily always seen as bad by companies.
...
... Here's a hint: corporate culture and motivation
:-) Google pretty much has a dot bomb culture. I think the spectacular success of one instance of a dot bomb culture is distracting you from the many failures. It is premature to say that Google's success is due to anything beyond a brilliant idea at the right time combined with rich angel investors. Their initial success and its continued dividends allows them to afford many inefficiencies, perhaps many elements of their cultures fit into this area. Keep in mind that success can hide inefficiency and that the true causes of success are sometimes erroneously attributed.
Note that the original poster wrote 'I stopped "special" surfing at the office'. There is a pretty high probability that this is referring to porn. Tolerating employees visiting porn sites is one way a company can get sued. Of course while the solution described in this article is cool and amusing, it is probably another way to get a company sued.
Ever wonder why Google is so successful?
Inertia mostly. They had a brilliant idea a while ago and have refined it since then to maintain competitiveness. Google has done many cool things since then but they are mostly a drain on success or neutral, some mild successes, but no big successes outside the original domain. Also, it is doubtful Google allows employees to browse porn sites either. With their deep pockets their fears regarding law suits are going to be pretty high.
Clue: "Law of Small Numbers", http://en.wikipedia.org/wiki/Hasty_generalization.
Now at least one element of Google culture, allowing employees the time to work on pet projects that many benefit the company, may have a proven track record. 3M allowed this for decades and many useful products emerged. Google may follow 3M's lead, but it is a little early to pass judgement.
Also keep in mind that Google offers several services that operate on HTTPS: Google Reader (great for bypassing those stupid web-filters that block political sites at repressive companies), Google Calendar (so you can schedule your interviews without alerting your company), and Google Docs (so you can work on your resume in private).
Google is also a godsend for consultants at client sites who are working with sensitive materials they don't want their clients to see (and don't want to use VPN).
Make sure everyone's vote counts: Verified Voting
You'd be surprised. Some contractors did something like this at my company in order to use IM software and read external email. They were quickly found out by our admins, and told to knock it off or they would get terminated. And this is a very big company.
HTTPS is not protection against an intelligent network appliance. I know this because my company employs an appliance that sits in stream that identifies the originating HTTPS connection and intercepts the key that is supposed to be passed back to the client. Instead what happens is the network app creates a bogus key that it passes back to the client and maintains the encrypted relationship with the target website directly. What the client gets back is NOT the encryption from the website... it's spoofed encryption. That allows the appliance to read everything it wants that is being communicated between the two points.
The concept of network security is about as effective as the concept of airport security.
Correspondence from your work e-mail is no different from paper mail on company letterhead. The company owns what has its name on it and what's composed on company time.
But some companies might be better off putting that kind of effort into quality control on the *products* they send out, rather than correspondence.
If somebody sues for sexual harassment, etc, porn surfing in the office would be used as red flag evidence that the company tolerated or facilitated a hostile work environment for women.
I hope you can explain how someone can get (realistically) sued because their employee surfed porn. I'm dying of curiosity here.
;-) Things visible to coworkers or visitors, even "tame" bikini calendars, can create a "hostile workplace". It is largely a judgment call by the "victim". If he/she says they were uncomfortable, made a report to management, and management failed to take action the company can be sued and more importantly may in fact lose.
You have obviously never had any corporate sexual harassment training.