Slashdot Mirror

← Back to Stories (view on slashdot.org)

European Court Rules Companies Must Tell Employees of Email Checks (reuters.com)

Posted by msmash on from the steering-clear dept.

Companies must tell employees in advance if their work email accounts are being monitored and such checks must not unduly infringe workers' privacy, the European Court of Human Rights ruled on Tuesday. From a report: In a judgment in the case of a man fired 10 years ago for using a work messaging account to communicate with his family, the judges found that Romanian courts failed to protect Bogdan Barbulescu's private correspondence because his employer had not given him prior notice it was monitoring his communications. Email privacy has become a hotly contested issue as more people use work addresses for personal correspondence even as employers demand the right to monitor email and computer usage to ensure staff use work email appropriately. Courts in general have sided with employers on this issue.

71 of 103 comments (clear)

  1. I work in IT by Martin+S. · · Score: 3, Insightful

    So I'm going to assume they can and will read anything I do at work and act accordingly.

    1. Re:I work in IT by stealth_finger · · Score: 2

      So I'm going to assume they can and will read anything I do at work and act accordingly.

      Yeah, shouldn't that be the base assumption? Even if it's not actively being monitored or has ever been it has the potential to be and can at least be checked up on.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
    2. Re:I work in IT by dindi · · Score: 3, Informative

      +1 ...

      And why on Earth would someone conduct private business on a company email account.

      Now if they sniff my private mails going to my phone through an external provider, or my home email, that would be a different story.

      But again, I wouldn't use the company's wifi to even receive private mail or access private stuff. For that, you have your data plan.

      And yes, a company computer, a company connection and a company account DOES BELONG to the company, thus should and will be monitored by the company.

    3. Re:I work in IT by TechyImmigrant · · Score: 1

      >And why on Earth would someone conduct private business on a company email account.

      Because you're working late and you need to tell your wife that you're going to be late home, and your employer isn't a douche so is fine with you sending personal emails and has said so.

      Not every employer has a scorched earth policy regarding these things.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    4. Re:I work in IT by networkBoy · · Score: 1

      My company has a "guest" WiFi and a company WiFi. I *assume* both are monitored, and I *assume* that I have no privacy on either.
      In the case of the guest WiFi I view it no different than the WiFi at a starbucks. I'll use it, but only through a VPN using a pre-shared key and strong encryption. My company WiFi I won't use at all, other than to connect with my company provided computer.

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    5. Re:I work in IT by kwerle · · Score: 2

      And why on Earth would someone conduct private business on a company email account.

      Have you ever met people? They're idiots.

    6. Re: I work in IT by F.Ultra · · Score: 1

      I use the company phone for all my private calls (it's the only phone I have since I don't need another). I also use the company network and computer for oersonal usage (i.e posting here), I have a company computer at home and my Internet connection at home is owned by the company. Works well for me, don't understand why it's seen as so obsene by foremost US citizens.

    7. Re:I work in IT by AmiMoJo · · Score: 2

      From TFA:

      The company had presented him with printouts of his private messages to his brother and fiancée on Yahoo Messenger as evidence of his breach of a company ban on such personal use.

      Barbulescu had previously told his employer in writing that he had only used the service for professional purposes.

      So it's not even email, just Yahoo chat. The issue here is not that he lied about using the service for work only, he could still be fired for that, it's that in the EU an employer can't simply read everything on its network because the users of that network have some small expectation of privacy.

      Don't misunderstand this. Network monitoring for detection of intrusion, scanning emails for viruses and spam, that sort of thing is still fine. Even reading employee emails when there is some good reason to is okay in the right circumstances. What isn't okay is the boss being able to read anything an employee writes in a random chat message to their family. Seeing that they are chatting to their family is fine, and the additional invasion of privacy isn't necessary to sanction them for it.

      It's really quite a narrow ruling, but an important one. It reinforces the idea that privacy is a basic human right in the EU and that there must be good reason for violating it. Consider that just because the employer owns a laptop that it gives to you, that doesn't give it the right to remotely turn the web cam and microphone on whenever it likes, e.g. in your home, or even in the office where most people would be upset if you set up a CCTV camera on top of their monitor.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re:I work in IT by clovis · · Score: 1

      +1 ...

      And why on Earth would someone conduct private business on a company email account.

      Some companies are blocking the common webmail providers.
      It's done for IP security (makes it a little more difficult to send out company confidential information), and also to block the main portal for entry of malware.
      If a person feels they must absolutely must communicate with family/friends/commie spys/etc, they can use the phone.
      Also, there's always dingbats that get confused and will use both the company email and google, yahoo, etc for business mail which leads to all kinds of problems.

    9. Re:I work in IT by GNious · · Score: 1

      Good luck controlling what is sent to you

    10. Re:I work in IT by AmiMoJo · · Score: 1

      It's actually in the company's interest to allow work computers to be used for private stuff.

      My boss has my private email address. Once or twice I've answered questions while on holiday. Very often something I ready during lunch break for my own private amusement turned out to be very helpful for the job. All that would go away if they suddenly got strict about computer use, although I'd probably jump ship anyway in short order.

      A little trust goes a long way.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    11. Re:I work in IT by Carewolf · · Score: 2

      So I'm going to assume they can and will read anything I do at work and act accordingly.

      Yeah, shouldn't that be the base assumption? Even if it's not actively being monitored or has ever been it has the potential to be and can at least be checked up on.

      No, it shouldnt. And in Europe a reasonable expectation of privacy is a codified right.

    12. Re:I work in IT by Actually,+I+do+RTFA · · Score: 1

      And yes, a company computer, a company connection and a company account DOES BELONG to the company, thus should and will be monitored by the company.

      The company's toilet, the plumbing connection, and the water flowing through it all "DO BELONG" to the company as well.

      --
      Your ad here. Ask me how!
    13. Re: I work in IT by Cederic · · Score: 2

      Well, no, not end of story at all. The story includes regulatory compliance, which covers things like protecting consumer data, fiduciary responsibility, obligations against modern slavery and various audit controls.

      Failing to monitor work email accounts is in some situations actually illegal.

    14. Re:I work in IT by Cederic · · Score: 1

      Most people in the UK (and I'd guess the rest of the EU) have a personal telephone with them even when at work, so it's very possible to contact people through telephony without using any company equipment at all.

      Although of course, most phones these days allow use of private email too, so it's odd to suggest ringing people you want to email..

    15. Re: I work in IT by Teun · · Score: 2

      No it's most certainly not end of story.

      As Carewolf writes in the EU (that includes Romania) there is the codified Expectation of Privacy.
      Virtually all companies that use a law office for their contracts will have their employees sign a paper that they understand the company supplied mail and Internet access can be monitored.
      Such a contract would include that you can to an extend use it for private conversations, abuse will not be accepted.

      Another way to look at it is when the mail address includes my name it can hardly be claimed it is 100% company property, or do you want to say my hotmail.com address belongs to Microsoft making them responsible for what I write?

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    16. Re: I work in IT by Carewolf · · Score: 1

      Work email accounts belong to the company, end of story. To assume otherwise is delusional.

      Nope. Not anywhere in the EU.

    17. Re: I work in IT by Carewolf · · Score: 2

      No it's most certainly not end of story.

      As Carewolf writes in the EU (that includes Romania) there is the codified Expectation of Privacy.

      Virtually all companies that use a law office for their contracts will have their employees sign a paper that they understand the company supplied mail and Internet access can be monitored.

      The details might depend on the country, but in Germany such contract as only legal and valid if they are exceptions, that is if they only apply to a minority of employees for whom special consideration makes such a contract necessary. If forced on everybody it is not just not valid, it is outright illegal.

    18. Re: I work in IT by K.+S.+Kyosuke · · Score: 1

      Much like in case of having a desk with a lockable drawer at your office, it's quite practical to occasionally put something there that is not strictly work-related. And much like in case of having a lockable desk at your office, there's next-to-nil cost to the company for it, so nobody except for brain-damaged micro-managers is bothered.

      --
      Ezekiel 23:20
    19. Re:I work in IT by KingBenny · · Score: 1

      should and would ... i think the point is that they have to officially notify / warn you that they're doing it before they're doing it, i dont think the right of the employer to monitor his own lines is on the table here, but the duty to inform their employers if and when they do before they do it.
      i agree its their hardware and their lines, just like they get the right to hire and fire whoever they want for whatever reason, no matter how idiotic
      i mean its all nice to be pc about it, but if your employer doesnt like you i dont really see the point in forcing him to keep you since your life will be hell , but im drifting off topic again (one of my superpowers ... dispersion and diffusion)
      so ... yes, i think its all about the employers duty to inform up front, not about his or her right to keept taps (tabs?) on their own lines or not .. so if you don't like it then you can tell him or her to phrack off and look for another place, and if you don't mind you can just accept the job
      pc-europe ... selling the privacy of its citizens, big brothering to the point where any kind of non pc speech can actually get your house raided but when it comes to looking good protecting rights they're good, right, just a bit confusing and obfuscated and don't forget, in soviet europe, any law can be surpassed for raison d'état (yes i say that a lot but thats because it is, in what calls itself western democracy, something like the thing that shouldnt be hm hhmmm...)

      --
      Free speech was meant to be free for all... how can anyone grow up in a nanny state ?
    20. Re: I work in IT by F.Ultra · · Score: 1

      Almost, Sweden.

  2. Don't do that with your work account by bluefoxlucid · · Score: 1

    Privacy is one thing, and most businesses--even Federal agencies--confer a limited personal use policy, allowing you to browse the 'net and do things with their equipment as long as you do your job. This was actually directly described on the MOTD at log-in at the Social Security Administration. There's a reasonable expectation of privacy; it's also their system, and what you do is subject to inspection.

    So yeah, they won't suck up your cookies, hack your gmail, and snoop your bank accounts; they will read your e-mail and inspect the files on your computer if they so choose.

    Maybe don't e-mail naked pictures of yourself using the corporate email account. It also really irritates your mail admin when the FBI shows up and requires access to search your company e-mail the morning after they pick you up for child pornography.

    --
    Support my political activism on Patreon.
    1. Re:Don't do that with your work account by __aaclcg7560 · · Score: 1

      If you mixed personal emails with your U.S. government emails, Congress can subpoena your personal email account. Something as innocent as a sending an email to inform your boss that you're running late for work can make your personal email account fair game to congressional investigators. Make sure that your personal email account is "clean" unless you want to read about your messy relationship emails in The Washington Post after being leaked by a congressional staffer.

    2. Re:Don't do that with your work account by networkBoy · · Score: 1

      I post to /. on my company machine.
      I don't connect to FB or my google account, however.

      Reasonable use doesn't mean private use ;)

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    3. Re:Don't do that with your work account by KiloByte · · Score: 2

      And that's the reason why this company lost: they didn't tell the employee about the monitoring.

      So there'll be a single line added in an obscure place to the pile of paper you're required to sign upon being hired, without even an opportunity to actually read what you're signing.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    4. Re:Don't do that with your work account by war4peace · · Score: 2

      No, because the EU laws don't allow for that douchebaggery to exist.
      I work in the EU and there are big signs at entry doors warning that the place is being monitored through CCTV,
      We have signed a separate document which details what exactly is being monitored, how and for how long, with a list of cases where monitoring would happen, etc.
      I do know that all files on my company-issued laptop are scanned and their file names (NOT the contents) are saved for later scrutiny if need be, but in order for that scrutiny to occur, there needs to be a good, legally-established reason.
      Files and their contents are backed into the cloud, but I get to choose which ones should be backed up, it's my responsibility to select them (and the privilege to not select the ones I don't want backed up).
      There is an expectation for reasonable use of company assets for personal reasons, with top 5% overall users of, say, mobile data being informed they are in top 5% and still not monitored in detail, only told "hey, during the last X months you've been using a lot of mobile data, please try to reduce usage".

      This helps employees be less paranoid and focus on work rather than avoiding employer scrutiny.

      --
      ...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
    5. Re:Don't do that with your work account by jabuzz · · Score: 1

      Correct. Though in exceptional circumstances you can still monitor the emails without telling the employee.

      This was a super narrow judgement, tell the employee that work email accounts will be monitored and you are in the free and clear. I would add that any sensible employer would already be telling their employees that anyway.

    6. Re:Don't do that with your work account by Teun · · Score: 1

      Yes but as an employer you will have to notify the works council of your planned monitoring including the reason why.
      As the chairman of our works council I've been in that situation, there was indication one of our lab managers was in the process of setting up a competing lab in his own name.
      He was released a day later, the proof was overwhelming, what a stupid idiot to use company mail for such a dirty trick.

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
  3. Why would this matter ? by Thanatiel · · Score: 1

    Who would use the mail box of the office for something personal ?
    At our day and time, the smartphone is more than enough for the odd 3 lines messages for emergencies.
    If you need more, do it at home, not on your company's dime.

    --
    Irrelevant news and morons using moderation to mod down what they disagree on. 2018 resolution: so long.
    1. Re:Why would this matter ? by RobinH · · Score: 1

      If you're using your phone at work for personal use, you're doing it on your company's dime too, particularly if you're paid hourly.

      --
      "I have never let my schooling interfere with my education." - Mark Twain
    2. Re:Why would this matter ? by Thanatiel · · Score: 1

      I specifically said "3 lines for emergencies" : life happens (or death, as the case may be).
      Taking more than a a minute is where I draw the line.

      But maybe you have a different perception of what construes an emergency.

      --
      Irrelevant news and morons using moderation to mod down what they disagree on. 2018 resolution: so long.
    3. Re:Why would this matter ? by networkBoy · · Score: 1

      That depends:
      Is it on a designated/designatable break? Then no, you're not on your company's dime.
      Are you an exempt employee and are you achieving what you were tasked to do? Then no, you're not on your company's dime.
      Are you hourly and not on break, or exempt and it's interfering with your ability to complete your task? Then *yes* it is on your company's dime.

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  4. Pit it in writing ... by CaptainDork · · Score: 2, Insightful

    ... in a Technology Administrator Policy and designate an administrator.

    I'm retired now, and when I hired on at a law firm 20 years ago, I wrote that policy and amended it as things changed.

    I blocked shit like match.com, Facebook, Twitter, etc.

    I listed taboos like using business email for non-business purposes and I stated clearly that, at the direction of the partners, I would be monitoring emails, browser history, etc.

    For each and every new hire, I read the Policy to them in the kitchen area and invited them to ask question then, and at any other time during their employment.

    The last page had a place for two signatures/dates:

    - Theirs, acknowledging that they participated in the counseling

    - Mine, acknowledging same.

    I got a few calls regarding wrongful termination during the years and, in one matter, the fired employee said, "Well, everyone else was doing it."

    I told the work comp lady to add, "Line item 6.1.a, 'Report any violations or suspected violations of this policy to the Technology Administrator."

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:Pit it in writing ... by Kjella · · Score: 4, Insightful

      I got a few calls regarding wrongful termination during the years and, in one matter, the fired employee said, "Well, everyone else was doing it."

      I told the work comp lady to add, "Line item 6.1.a, 'Report any violations or suspected violations of this policy to the Technology Administrator."

      So assuming he wasn't exaggerating you amended a policy nobody followed with another over-the-top rule for them to ignore, brilliant. I've read a few policies like that, in theory they're great. In practice nobody knows, because they're so anal the only real purpose they serve is as legal ammunition against troublesome employees. For example I read my organization's phone application guidelines, install any non-IT approved app and you take full legal liability for any damage it can cause. Meanwhile using it as your personal phone too is encouraged and 95%+ do exactly that, nobody bats an eye at installing anything. It's only there because if shit hits the fan they can throw you to the wolves and blame you for violating policy.

      --
      Live today, because you never know what tomorrow brings
    2. Re:Pit it in writing ... by AmiMoJo · · Score: 3, Insightful

      That sounds like a horrible, Orwellian place to work.

      Did you give employees laptops and phones for travel? Did they routinely turn them off to prevent you activating the camera/microphone and carry a second personal laptop?

      It really sounds like an awful way to live. I wouldn't work at such a place, I'd only go somewhere that doesn't routinely spy on me and largely doesn't care as long as I get stuff done. Even if I didn't care about privacy, I'd assume it was a sign that there were other serious problems with the management style and working environment.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:Pit it in writing ... by CaptainDork · · Score: 2

      It's possible that you don't grok it.

      The longer version, that should be apparent, is that a violator got three strikes.

      Well, 4.

      As a coworker, I'd whisper in their ear that what they were doing was a violation and to stop.

      For each violation, I simply witnessed the reprimand given by a partner. That violation was written up, with proof attached; signed by the violator and me.

      That went into their folder.

      Third time was a charm.

      Example:

      Kara downloaded Picasa, a photo editing thing from Google. "Downloads are prohibited without prior permission from the Technology Administrator."

      She brought in her personal camera and uploaded pictures to her computer, then to Picasa. "Employees will not use personal technology at work and will not make changes to any of the Firm's technology without prior permission from the Technology Administrator."

      Management was suspicious of her and asked me to look at her activity on the firewall.

      She was on match.com (this was the trigger for the firewall block, per my recommendation) on a Friday from 2 pm to 5 pm.

      It was all documented, signed by her, and she was let go.

      --
      It little behooves the best of us to comment on the rest of us.
    4. Re:Pit it in writing ... by CaptainDork · · Score: 1

      It really sounds like you want to read the whole goddam Technology Administration Policy.

      For things that seem whack to you, fill in the fucking blanks with the common sense you would include.

      Recall that I counseled each new hire, personally, one-on-one.

      We're a LAW FIRM.

      Things have to be tight all around.

      --
      It little behooves the best of us to comment on the rest of us.
    5. Re:Pit it in writing ... by AmiMoJo · · Score: 1

      Sounds like an incredibly effective way to destroy productivity. All requests, even for trivial things, have to go through one person, or at least through the IT department.

      Maybe it's different at law firms, but as an engineer it would be impossible to do my job working that way.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Pit it in writing ... by Cederic · · Score: 1

      You can be tight without being a complete twat about it.

      I know law firms are full of people professionally trained to be utter cunts but that doesn't have to extend to the IT staff. I work for a company with severely more stringent information security requirements than a law firm and we do this scary thing called making it a great place to work.

      You should consider giving it a go some time.

    7. Re:Pit it in writing ... by CaptainDork · · Score: 1

      So, at work, you need Facebook, match.com, and you need to use your work email to forward photos you took with your digital camera?

      --
      It little behooves the best of us to comment on the rest of us.
    8. Re:Pit it in writing ... by CaptainDork · · Score: 1

      I let business run the IT department.

      My partners at the law firm called the shots and I made recommendations that protected the Firm.

      Not all were accepted.

      They got hit with ransomware shortly after I retired because one of the lawyers phished on "nude photos" of some celeb.

      I recommended a more expensive firewall with an aggressive approach to malware but they did their risk analysis and denied my request.

      They signed off on their rejection, so I was CYA.

      Last I heard they bought "ransomware insurance."

      I don't know how that works but it's their problem now.

      --
      It little behooves the best of us to comment on the rest of us.
    9. Re:Pit it in writing ... by thegarbz · · Score: 1

      the only real purpose they serve is as legal ammunition against troublesome employees

      Yes and? This appears to be entirely the point of the story. Tell the employees that you have a policy and you're good to go.

    10. Re:Pit it in writing ... by thegarbz · · Score: 1

      It really sounds like an awful way to live. I wouldn't work at such a place

      You could have just told us you were unemployed. No need to go about it in such a roundabout way.

      But seriously you are being watched. If you're not, let me know who your employer is because they have laughable IT security if that's the case.

    11. Re:Pit it in writing ... by Teun · · Score: 1

      I wonder how you got your nickname but I can guess...

      My ex is a lawyer and senior partner in a law firm, whatever they do on the company computers needs to be billed to the relevant client and software is installed to keep the timing.
      Yet they can disable this tracker when they take their break and mail and surf with their companies or own account.
      The actual lawyers in the company have a two-level mail address, their.name@lawfirm.com where all is monitored and their.name.direct@lawfirm.com that is unmonitored for reason of client-lawyer privilege.
      As an IT man you'd be fired and sued if you'd ever, without prior authorization, tried to access these direct accounts.

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
    12. Re:Pit it in writing ... by CaptainDork · · Score: 1

      You guessed wrong on the nickname.

      I know that you know that we each make up our own nickname and that the nickname is not, "given."

      I refer you to Dave Barry.

      Appreciate that it applies to you.

      regarding your post: You said what I said, except you exited too hard.

      Terminal events were set by my employer; not you.

      Individual employees are seldom liable for damages related to their work positions.

      --
      It little behooves the best of us to comment on the rest of us.
    13. Re:Pit it in writing ... by edtice1559 · · Score: 1

      I travel multiple times a week and, yes, I carry a second, personal laptop. There was a time when we were a smaller company and had more liberal policies. But even if I found myself in that situation again, I don't think I'd go back to carrying just one laptop. They just aren't that heavy and it's well worth it not to mix work and personal stuff. Or for short trips, just use your phone. There's really no reason to have work and personal stuff even on the same machine.

    14. Re:Pit it in writing ... by Kjella · · Score: 1

      No, I grok it just fine and I think we're perfectly in agreement on how this works.

      "Downloads are prohibited without prior permission from the Technology Administrator."

      Not just applications, but downloads in general? Am I in violation if I download a PDF?

      "Employees will not use personal technology at work (...)

      So if I check my personal cell phone while at work...

      and will not make changes to any of the Firm's technology without prior permission from the Technology Administrator."

      I can't even parse this, am I allowed to turn on/off my computer?

      She was on match.com (this was the trigger for the firewall block, per my recommendation) on a Friday from 2 pm to 5 pm.

      And you religiously enforce this for everyone who spent two minutes checking a non-work related item?

      It was all documented, signed by her, and she was let go.

      Which was my point.. it's not a policy you expect people to follow, it's a policy everyone violates so you can fire those you want to fire who have violated your *real* thresholds for unacceptable behavior.

      --
      Live today, because you never know what tomorrow brings
    15. Re:Pit it in writing ... by CaptainDork · · Score: 1

      Any chance at all that you actually support any of the Policy?

      It saved our ass for years.

      We used to simply include it in the hire package.

      We discovered that, like most things in that package, people were like, "OK, whatever. When's vacation, where's the bathroom and kitchen and stuff."

      And, it's not like we hired people just so we could fire them.

      Recall that I personally talked to each new hire.

      It was a friendly, sensible conversation that a few did not want to follow, opting for termination instead.

      --
      It little behooves the best of us to comment on the rest of us.
    16. Re:Pit it in writing ... by tlhIngan · · Score: 1

      So, at work, you need Facebook, match.com, and you need to use your work email to forward photos you took with your digital camera?

      Don't need facebook or match.com, though I wouldn't be surprised if someone needed to do their job (social media and the like).

      But digital camera to computer? Yes. Because you wouldn't believe how many support cases are simplified if the client simply takes a photo of the problem. Or in our case, we often photograph circuit boards and point out certain things. Like serial numbers (some people get confused so a photo pointing out where to look for the label solves the problem in 10 seconds versus a day of back and forth emails). Or maybe they blew something up - a photo of the exploded part works wonders.

      I've also seen it the other way - a company was so paranoid about IP, they installed spyware on everyone's PC. Yes, they even emphasized it - from the VP who was let go because he played a movie on his work laptop (let's say not entirely legally obtained), to where there were dire warnings to never copy source code files (.c, .cpp, .h, etc) to a USB drive. If you need files on USB stick for testing, use PDFs and the like.

      I got lucky - I didn't really work for them - I was contracted to them so I had my company's laptop with me over VPN to which I did my "normal" stuff and the company's PC which I did all the work with. Things sucked even worse when they decided that instead of having a generate gateway at that office in Canada, they would be directing all office traffic to headquarters in California, so were upgrading the links. It added some delay to the VPN that was noticable. They also blocked everything other than 80, 443 and some other ports (I had an SSL VPN which meant everything I did worked over 443). About 6 months before the end of my contract there they created a guest WiFi.

      Oh yeah, the spyware caused lots of issues. We just ended up blaming slowdowns and stalls on it - but hey, I guess they were used to such inefficiency if it takes twice as long to compile.

    17. Re:Pit it in writing ... by CaptainDork · · Score: 1

      Did you even read the fucking part about "personal photos," and "Picasa?"

      You're trolling.

      I get that.

      Bye.

      --
      It little behooves the best of us to comment on the rest of us.
  5. Invitation To Theft by forkfail · · Score: 2, Insightful

    As soon as it becomes impossible for an organization to maintain complete control of the communications on it's own networks, connections to other networks, and data transfers to and from those external networks, you have given carte blance to those who would steal company secrets, data, and technology.

    This is insane. Folks have cell phones that they don't have to put on corporate/company networks. Use that for personal.

    --
    Check your premises.
    1. Re:Invitation To Theft by networkBoy · · Score: 1

      Devil's advocate:
      Cell phones are not allowed as they can be used to exfiltrate data.

      Now of course in an environment that strict I would generally presume two things:
      1) In the controlled environment there is a *hard* firewall with default deny to protect the systems.
      2) There are other systems (possibly in a different physical location) that can access the internet at large and are available on break times.

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    2. Re:Invitation To Theft by Anonymous Coward · · Score: 1

      Why is this marked as insightful? If you as an employer have so little trust in your employees that you need complete control of the communications to stop stealing of company secrets, data and technology then a) you're going to fail to stop those leaks because there's too many other ways to get the data out and b) you're going to fail as a company because any employee worth their salt will go to a company that trusts them.

      Are you even 14 years old? 16? "Why don't you trust me" is a cry from misbehaving teenagers.
      No. You can't trust everyone. It's a fact.
      And it not so much evil people that you're trying to protect yourself from, it's stupid people.

    3. Re:Invitation To Theft by AmiMoJo · · Score: 1

      If an organization is reliant on having complete control of its network for security then it's fucked anyway. Real security has layers. If your security can't survive one phishing email that uses some zero day exploit, or someone connecting an infected laptop to the wifi (e.g. when they get back from a trip), if you ban any equipment you can't totally control... You are both reducing productivity (which IT is supposed to enable) and failing to secure the company systems.

      Anyway, in this case the guy was just using Yahoo Messenger to talk to his family, as well as clients. It's going to be quite hard to block his family but still allow clients to talk to him that way. And the specific issue was not that he was found out, it's that they captured a load of his private communications in the process. Firing him was fine, they just didn't need to invade his privacy further to do it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Invitation To Theft by Cederic · · Score: 1

      there's too many other ways to get the data out

      You'd be surprised how fucking hard it can get though, after even the most basic of security constraints are put in place.

      I have access to offices in multiple countries globally and I still can't get into a specific part of one of our local offices, because the team in there have deep access to very sensitive data.

      That team are not trusted with that access. They're monitored, audited, logged and educated. They're vetted when they're hired, and know that they aren't trusted.

      They don't leave because they respect the need for these measures, they understand the damage that an information leak could cause and they appreciate the protection these processes gives to them - they wont get prosecuted or imprisoned for leaking data because there's some serious evidence to demonstrate that they didn't and couldn't.

      Of course, no information is 100% secure and still accessible, so they pootentially _could_ leak data, but it'd need to be a seriously thought through and targeted attack, and even then there's a very strong likelihood of detection and subsequent action. Which would indeed include criminal prosecution.

      It would also need an understanding of the defences in depth around that information, which is one of the things we don't trust that team with. The data is sensitive, but I'm not sure it's worth embedding a full team of people across different roles in the organisation to access - anybody with those resources tends to have more direct mechanisms, such as sending in the police with a court order.

    5. Re:Invitation To Theft by Teun · · Score: 1

      Spot on!

      --
      "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
  6. No need to use work email due to Smartphones by StandardCell · · Score: 1

    The ruling aside, there's no better way to avoid workplace communication monitoring than to use a smartphone with mobile data network connection. Most plans have more than enough data to give you everything you need while you're at work. It's pointless and counterproductive on so many levels to log into anything personal on work machine.

  7. Going to assume by drewsup · · Score: 1

    That this was more than a couple emails to family when working late hours, it was 10 years ago, so ya Blackberry's were out, Iphone just getting started, if it was just a quick email saying hi to brother across the country I would be tempted to have some sympathy for the guy, but appears to be flagrant abuse.

  8. 2017: Using work email for personal business by Rick+Schumann · · Score: 1

    Why would you even do that? Not smart.

  9. Harder to create jobs? by galabar · · Score: 1

    As a company, or someone wishing to start one, has to deal with more and more regulation, when do they just shrug?

  10. Grey area: ruling makes sense by Roger+W+Moore · · Score: 2

    Yeah, shouldn't that be the base assumption?

    No. It might be the cautious assumption but that does not mean that someone who expects some level of privacy has unreasonable expectations. There are many different levels of private email correspondence. For example, if I email my wife to let her know that I will be home late because of work I would not expect my employer to fire me for personal use of work email. However, if you tried to run a small business of eBay selling things through your work email then yes I would expect any employer would likely fire you for that!

    This means that there is a certain grey area between what an employer wants to let you do and what a reasonable person might assume that they can do. Hence this ruling seems to make a lot of sense: employers can do what they want with an employee's email account, they just have to say exactly what they will do and what they will allow beforehand. This way everyone's different assumptions about what is ok do not matter because the rules are spelled out.

    1. Re:Grey area: ruling makes sense by Cederic · · Score: 1

      if I email my wife to let her know that I will be home late because of work I would not expect my employer to fire me for personal use of work email

      You miss the point. The base assumption should be that your employer will know that you mailed your wife to let her know that you'll be home late.

    2. Re:Grey area: ruling makes sense by stealth_finger · · Score: 1

      For example, if I email my wife to let her know that I will be home late because of work I would not expect my employer to fire me for personal use of work email. However, if you tried to run a small business of eBay selling things through your work email then yes I would expect any employer would likely fire you for that!

      And how would you expect the employer to know you are doing either? Because they have access to your work email and the ability to look through it. For example, say you work at super company x. You email your wife to say you'll be late or to get milk, some colleagues or even friends about non work related matter. Not really a big deal unless you take the piss. Now say rival company y comes to you and wants some trade secrets in exchange for bags of cash, you wouldn't dream of sending that from your work email would you? Obviously not because you already know that's not your email address and they have complete access. Now if you emailed the secrets from within work but from your own actual personal account they would have a lot harder time knowing what you were up to and no real right to access unless they had substantial other proof and went through a court.

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
  11. It's called Freedom by WillAffleckUW · · Score: 1

    and Liberty

    both of which are lacking in America, but still exist in the EU

    --
    -- Tigger warning: This post may contain tiggers! --
  12. Oddly Enough.. by agrisea · · Score: 1

    Back in the years of the BBS, system owners/operators had to display a message to their users when they logged in about the Electronic Communication Privacy Act of 1986 and specifically say if they could in fact guarantee the user's privacy for email, chat logs, etc. I am not able to find the exact text that was displayed, sorry.

    --
    Agrisea Tsunami - Epyc Servers... https://agrisea.net/products
  13. Email? IM? by nine-times · · Score: 3, Interesting

    From the summary, I had assumed that this was a standard case of a company accessing a person's email that was sent through that company's own mail server. I was pretty much ready to side with the employer. If you send an email through your company's mail server, you should expect that someone might view that email. Even if the employer isn't snooping, there are any number of reasons why someone at the company may need to review your work emails. However, the article states:

    The company had presented Barbulescu with printouts of his private messages to his brother and fiancée on Yahoo Messenger as evidence of his breach of a company ban on such personal use.

    So that makes it sound like this guy was using a personal Yahoo Messenger account. So that kind of takes me in the other direction, in favor of the employee's right to privacy. As a general rule, I don't think that your company should have the right to access your personal email/IM accounts, even if you happen to access them on work devices.

    However, that doesn't really explain how they got access to his chats, unless they were stored on his work computer. I don't feel comfortable saying that a company shouldn't be allowed to review the contents of a company-owned computer. And this is further complicated by the fact that the employee stated, in writing, that the account was being used solely for work purposes. In that case, I could see an argument that the account is a work account, not a personal account, and so the employer should be allowed to access it.

    In any case, I think there's some space between "what an employer should be legally allowed to do" and "what an employer should do". Even if employers can spy on employees and review private email, they should try to avoid reading anything that's not business related.

  14. Re:Email? IM? by thegarbz · · Score: 1

    So that makes it sound like this guy was using a personal Yahoo Messenger account. So that kind of takes me in the other direction, in favor of the employee's right to privacy. As a general rule, I don't think that your company should have the right to access your personal email/IM accounts, even if you happen to access them on work devices.

    Work devices are work devices. You want a personal device, carry a personal device. I don't side with the employee in this case. IT security involves dealing with threats and sometimes those threats can be internal as well.

    That said either side of an argument is usually painted in rose. The reality is probably:

    a) the guy was caught transmitting something sensitive.
    b) the guy was seriously slacking off and spending half the day on personal stuff.
    c) the guy was toxic to the company and they were looking to any reason to get rid of him.

    However, that doesn't really explain how they got access to his chats

    10 years ago security wasn't high on anyone's agenda. There certainly was little to no talk about encryption. Maybe the transparent proxy caught all the MITM-SSL traffic as is pretty standard on a company PC.

  15. Re:Email? IM? by dissy · · Score: 1

    So that makes it sound like this guy was using a personal Yahoo Messenger account. So that kind of takes me in the other direction, in favor of the employee's right to privacy. As a general rule, I don't think that your company should have the right to access your personal email/IM accounts, even if you happen to access them on work devices.

    It can be a very fine line, but as the steward of an employers data, networks, and security policy, IT staff are between a rock and a hard place here.

    The company is legally responsible for vetting contractually and/or legally burdened data from leaving any internal compartmentalized or secured areas to outside networks such as the Internet.

    There is really only two ways to do this.
    A) Monitor the data egressing the network, or
    B) Disallow any and all types of general network access that would permit this in the first place.

    As a technology advocate myself, I would much prefer the option of simply treating all employees as trusted adults capable of such restrictions and care on their own.
    However not only do the lesser technologically inclined not always have the knowledge or skills to do this even when it is their intent, but the fact is there does exist bad actors that for whatever reasoning are actively going to try and harm you for their gain.
    For this reason it falls upon us to practically guarantee the protection of the companies data and information.

    Personally I know I would absolutely hate and despise operating under work conditions where all of the company resources are locked down and restricted to the point of not being useful, such as a whitelist of vendors and customers for email and websites, or those simply blocked entirely.

    On the other hand, I know if I went to my boss to present this as a problem needing a solution applied, and gave the two options above... He very likely wouldn't share my opinions on the moral downsides of option "B", and would very likely see it as the simplest, cheapest, and best option to solve the problem.
    And while this wouldn't apply to my current boss, I have in the past worked for people who would immediately question why I am even presenting such a thing as a problem to them in the first place, since to them option "B" would be the glaringly obvious only answer, and "shame on me" for not recognizing that "fact".

    In the end I very much worry laws like these will less protect an employees privacy and more simply force companies to block any and all such privileges in the first place, both to meet their other legal and contractual obligations as well as to head off any more removal of things they can or can't do with their own property.

  16. Re:Email? IM? by Teun · · Score: 1

    I'm not 100% sure but believe to remember from a few years ago when this thing was in another court that he was using a company account designated for client contact to communicate with his family.

    --
    "The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
  17. Re:Email? IM? by nine-times · · Score: 1

    The company is legally responsible for vetting contractually and/or legally burdened data from leaving any internal compartmentalized or secured areas to outside networks such as the Internet.... In the end I very much worry laws like these will less protect an employees privacy and more simply force companies to block any and all such privileges in the first place

    Yeah, it is a bit complicated. The need for security varies from industry to industry, and business to business. In many cases, the best option is just to treat employees as trusted adults. Or more to the point, to deal with the need to secure data on a different level, preventing employees from accessing it in the first place rather than trying to police what they do with it. That's generally a better approach, since once the data is available to people, they might find some way to share it.

    There's also the question of what level, and to what extent, you want to monitor or control user access. For example, are you just monitoring that some HTTPS traffic went to some site, or are you introducing some kind of proxy that's performing a MITM attack so that you can see the content of the traffic? Are you trying to blacklist a few sites, or instead block everything and only whitelist a few sites?

    I don't think there's a correct answer, but you have to tailor the security to your needs. There may be a middle ground, e.g. block all IM but the employer-approved IM, and then have that traffic monitored and archived. That way, you make it clear to the employees that this is a company-owned service, and communications are not private. I think setting up a MITM monitoring system is worse, since it gives people the illusion that their traffic might be private.

  18. In Germany .. by Foppel · · Score: 1

    In Germany (part of the EU) the ruling is like this:
    An employer has to tell the employee (ideally based in the contract) if company e-mail and equipment is for business use only. This has to be true for all employees.

    If an employer does not provide that Information ruling states that the employer has to accept that e-mail and equipment is used for personal matters. The only question here is how much - as in if the employee manages to fullfill his 8 hours of work per day and lets say adds 1 hour personal use.

    The tricky part is this:
    If the employer allows private usage of e-mail/equipment he becomes a de-facto service provider and has to yield to the law of privacy of correspondence - which means he is not allowed the secretly access equipment or read the e-mail, even if business related

    If the employer rules that e-mail and equipment is for business only (s)he can legally read e-mails and access equipment without the employees knowledge.

    An additional tricky part is if an employer decides later to cut down on it the employees could claim a right of custom and practice which means it could take months or years before all machines, e-mails and such are clean of private usage. only then the employer would be able to legally access the e-mail or equipment.

    Last, but not least, the European Court in question was the Euorpean Court of Human Rights, not the court dealing with the European Union. The participating countries have promised to yield to the rulings in their own private matters, but the ruling limited application as the Court is not part of any justice or executive system in any country of the european union (and more). So it is a court without teeth.