Ask Slashdot: Privacy in the Workplace

redactor asks: "I work as a sysadmin for a rather large corporation. The Human Resources department has gone on a witch-hunt, and wants me to start scanning user's email for porn. I know there have been some legal battles with this in the past. The company policy is that all data on company computers is property of the company, NOT the user, but I personally value privacy, and am refusing to do this unless it means loosing my job. How have other sysadmins been handling this?" Actually, since it's the office network, I really don't believe it's a voilation of privacy (unless said privacy was explicitly given...most workplaces don't make this guarantee).

Re:You don't have the privacy right (nor should yo

My boss is a woman. I had sent her a postscript file, and she couldn't read it. So I said "Let's download ghostview." and went to www.ghostview.com Unfortunately it's a pr0n site with bestiality links. While she did laugh, it was kind of awkward. I hate the shitheads who register all the mistyped domains. Funner yet is the autocomplete feature in internet explorer. You can quickly see what someone's been using by typing in the little box.

Tough Situation

As so many other have pointed out, the company has a right to do this. They also have a right to make it a sysadmin's job to scan for these things.

While the company might talk about the misuse of resources, the primary problem they are trying to avoid is a sexual harassment lawsuit. If your company has more that 10 twenty-something males, there is at least one who is looking at porno daily.

You need to do it or get a new job , because if they have made it you're responsibility to prevent this and a lawsuit is ever filed, the porn-head goes first. They will then evaluate how this happened and to show due diligence you'll be out the door next.

You'll find yourself in a meeting with your boss and his/her boss and an HR person and quickly realize that your going to be a patsy. After the meeting you'll be escorted to your cube where the corporate secuirity head will help you pack your cardboard box (your computer will already be gone) and escort you out of the building.

Let me get this straight...

Say I, (Cubical creature A), really really don't like B (she smells funny, has an annoying laugh, is smarter than me etc.). All I have to do to make her disappear is to go to www.spank_me_daddy.com and put her email address on something. Then just sit back and wait for the HR storm troopers to drag her away due to the rather bizarre spam she's now getting (she's got to be guilty right?). The same would work for spoofing her IP and going surfing through the corp. firewall to the darker side of the web as well. The inter-office wars have just became a *lot* more interesting :)

tOdd

Re:Let me get this straight...

Underscores are not legal in domain names.

Re:Let me get this straight...

[jafac]

did you find that out the hard way?

"The number of suckers born each minute doubles every 18 months."

Re:Let me get this straight...

[Fudge]

I like the sound of this....subscribe HR and the policymakers to www.spank_me_daddy.com and watch the fireworks from a safe distance! :wq

Ask forgiveness, not permission

Old teacher joke -- do what you have to do (warn everybody), then ask forgiveness if someone objects. Don't ask permission to warn everybody first, because if you ask permission it may not be granted, and you could be fired if you ignored the denial of permission and posted the warning anyhow.

Ask for what purpose this info is being collected?

For the past year where I work, I've had to prepare a report on the "bad" sites out of the top 200 sites our employees visit using the Squid logs. The "out of the top 200" part is important, because it doesn't incriminate someone who makes a mistake (whitehouse.com anyone?). When asked to do this, I first refused. I agreed after I was told what was going to be done with it. At every other monthly staff meeting, I anounce a list of the "top" imappropriate web-users. Problem sovled. Some companies threaten, some include this info in evaluations, some dismiss, but nothing works as well as embarassment. You might want to find-out what your company plans to do with the information before making a definite decision.

Re:Are we moral sensors now?

Why is there always someone who will bring this up?

I personally refuse to write "him/her" ever. Why? Because it restricts language. Assume that 1000 years from now, we encounter an alien life form, having 12 sexes. Are we going to list them all any time we want to refer to any of them? (him/her/it/bhir/jior/shior/ghet/etc...)

No, we won't, we'll just use "him".

Why not use the Spivak (e em [etc.]) pronouns?

protect your company interests

The main objective of scanning is to protect company interests. Company property. Company time. Company money. A healthy work environment. I don't scan with the intent of "getting" anyone, but rather with the intent of preventing problems. That is why the company policy is clearly spelled out. Scan email for porn and viruses. I also do some trivial IP accounting and give a copy of a monthly report to the users telling him where that user has been spending time on the web. You will find that moral behavior is the norm and not the exception. Those who do indulge in immoral behavior, tend to do so on a compulsive basis. I assure you, you will find happy and productive people in a moral work environment with a reasonable amount of restraint together with a reasonable amount of liberty. One of the guys who I regretfully informed on responded by sending me a subscription to HeavyMetal fantisy magazine. Of course, I know who it was from the beginning, and I confronted him and turned the subscription over to him. Believe it or not, he is now one of my best friends. Why? I don't know. He's a good guy and I enjoy his company. Apparently, he also enjoys mine. He wasn't fired, but did get a good scolding, and he has kept his nose clean since then. Don't try to sign up everyone in your office to a porn list. It will create big problems for you and you will probably be discovered, then fired for sure.

Re:Sexual Harassment

- Lawsuits are a real risk. Even if the files are not shown, just the fact that they are present can be used in court to illustrate a point about the "environment"
- The company owns the network, but as we are at work more hours, we do more non-work things on the job. This includes porn, web surfing, emailing and phoning mom, and looking for other jobs
- HR doesn't run IT
- Morons should use hotmail and an anonymous porn surfing sites.
- Actually, to avoid lawsuits, all companies should use hotmail and anonymout porn surfing sites.

A sysadmin at my alma matter once found a pirated distribution of "Starcraft" at 1am. His solution: give five hours (not much...) for the user to remove the file. After five hours he removed it himself and warned the user he'd lose his account if other non-scholastic material showed up in his directory.

Works for me.

Re:Who owns your thoughts?

It depends on the company and the agreements you signed. I worked at a once flourishing and now gobbled-up online service and had to sign an agreement that anything computer related I came up with during my employ, 24/7, was theirs. And this was for a g.d. customer service job.

Re:I've had to do this before :(

I scan only when the network is being dragged down by abuse, and tap the guy on the shoulder (or send a friendly warning via EMAIL) asking him politely not to abuse the network first. If the abuse is repeated, THEN is the time to drag out the heavy artillery -- I'm going to know (and document) what that dude had for breakfast, his shoe size, every key he typed during the course of the day, anything necessary to make his firing hold up in court.

Re:privacy advocacy

I can't speak about EFF, but I am almost certain that the ACLU would not assist you in suing your employer for violating your privacy. They support allowing your employer to do whatever they want (provided they don't break their contract or directly hurt someone); if you dislike it, you are free to do whatever you want (provided you don't break your contract or directly hurt someone). The ACLU supports the freedom to monitor your property, and the freedom to quit jobs that have monitors. It would be an unwarranted violation of our rights for the government to stop us from monitoring our stuff, or for it to stop a company from doing the same.

I have fun with stuff like this

This is one of my small joys in life - screwing with users. There is this guy who I work with that keeps surfing porno sites. It is bad enough that he does it, but when we had a 56k dialup connection, that just really chapped my ass. So, I started having fun.

The first thing I did was just block the sites on the proxy server. That worked well, but it was not really as much fun as I could possibly have, so I went in and changed the page that the proxy sent him. Instead of saying "Sorry, this URL is not allowed." I just added a redirect and sent him to www.disney.com.

One day he came up to me and started complaining. I told him to go see the CEO if he wanted the sites to be unblocked.

Well, this leads me to my next thing: porn in email. I do pretty much the same thing here. I do not read other's email at all, but when you look at the email logs and see messages arriving from www.dirtynastyteensinheat.com, just send them to trash box. They are either spam or porn-of-the-day messages anyway, so I don't feel bad about chucking them.

As far as HR telling me to do this, I don't do it for anyone except my customers. Yes, I am now on a faster link than a 56k dialup, but I want people outside to get our pages faster. If some bozo inside is wacking in his office and is keeping a customer from getting our latest software, that is a big no no with me.

So, look at the logs, not the email contents. You can learn a lot more that way and not invade someones privacy.

Forget it...

If you don't do it, they'll get someone else who will. If I were you, I'd "overlook" just about everything you find. Perhaps pop out a "token" few victims to make the suits feel good. Sorry, too lazy to log in... ten.knilrevlis@wkcuhc

Re:Forget it...

This isn't a privacy issue. It may be a task related issue. Privacy: it has been stated a number of times that an employee does not have a right to have any private material at work. You don't send you snail mail to work do you? Downloading sexual or other non-work related data at work violates you contract, since you are not 'working'. No one has an issue about firing an employee who is moonlighting at work? Task related issue: I was hired as a Unix System administrator. My tasks are to maintain the servers, update software, educate users .... etc. In no way does my contract say anything about searching thru 30 gigbytes of files to find porno. I would tell my boss that he needs to up my pay, for doing a task that is distasteful, and not part of my job.

Re:Forget it...

Actually, perhaps there is some sense here...

I tend to keep my mailbox at work reasonable clean- and I e-mail my finer half (as she e-mails me) and my expectation of privacy is no more than an expectation of boredom on the part of any scanners.

Now, what key words would you scan on? (This'd be a lot like the web-protection software- Yes, there are some technical issues, but, hey, normally this is really NOT worth the effort since there's a lot of ludicrous crap out there that isn't of interest to suits or whoever.)

Another interestint item would be to initially confine such scans to executives and managers FIRST and expose any such traffic to the suits saying "Well, if you guys can't provide a clean example, don't work from the bottom up.".

Seriously, what do you scan for? PGP encrypted traffic cuts both ways- do you really want to challenge all folks using PGP to explain why they need it?

I like the remark about scanning for e-mail system abusers (Joke Forwarders), but, again, this seems like a lot of effort.

Large corporations indicate that there is no expectation of e-mail privacy to employees, but it also seems that there ain't enough cycles available to actually perform such a scan...

Of course, firewalls/etc could also be reporting (for traffic analysis) on users of external "free" e-mail (hotmail, yahoo, etc) with the internal IPs of those using external services- this'd be one of those cases where you CAN'T monitor traffic, but, hey, maybe your boss can find out your hotmail account name and then go look at your traffic to keep an eye on you... :-)

I'm looking at it from a technical angle- Unless the company is not all that large it is probably more trouble than it's worth (though, remember, if you're within a M$ your mail may be subpeon'd) but that sucks in ALL of YOUR traffic- it's targetted.

Morally, this can be seen as a "loyalty check"- Is this reasonable?

A Loyalty scan of this kind needs to be top-down within the organizational hierarchy, with the housecleaning targetted at the highest levels first (remember Sun Tzu!) in order to be morally RIGHT.

-soup (Too lazy to log in)

Re:Forget it...

Well, that's paranoid pass-the-buck nonsense. The issue is "Does the company want to stop people downloading porn or merely catch people who do?". Just scanning implies the latter, while warning people that they will be caught if they do would sort the problem out very quickly.

Re:Forget it...

Exactly. Then suddenly the administrator is given the power to get anyone hired and fired...which in a way, we kinda have anyway. The questions not whether you have it, it's will you abuse it. abusing by using it to violate peoples basic rights to privacy is for weasels. Well, what if your boss is guilty? And his boss? And so on up the ladder? Yes, a certain degree of triage is useful- but executives and management needs to be cleansed FIRST to act as an example. Why do you think few in the military have any respect for the current Commander-In-Chief? Sun Tzu covers this well- it is the FIRST in his list of criteria for winning; The leader(ship) must have the moral authority to win the people's loyalty... -soup (Oh God I'm boring!) (See what happens when you can't sleep because your hiatal hernia is acting up?)

Re:Forget it...

what's the joke?

Re:Forget it...

Well, I have just been catching up (fun with SAP, fun, fun, fun), and yeah, that is the only way to go. I nearly got fired for running crack AFTER I WAS ASKED TO OVER A LONG WEEKEND BY MY BOSS. TO his credit, when he got back he let everyone know that I was supposed to be doing that, but this was a State of Texas system and hooked into a Federal system, so I almost got fried but good. That is still, close to eight years on, in my FBI file (noted duly that this seemed to have been a miscommunication, that everything cleared up, and that I was "an exemplary employee")(but still ...). Lesson: get everything in writing, to the top of the chain, well ahead of time, in your department and all others affected. Then require that they make this policy or have a mechanism for dealing with any consequences (i.e., you can ask me to run crack, but if you find trivial passwords based on that you cannot do anything until you have a policy to do something based on that and you cannot discipline anyone unless you have this policy in place, etc.). This avoids the "double secret probation" problem, where people find themselves in violation of a policy that isn't formally there. You would be surprised, until you have seen it happen, that a Fortune 500 corp can let the HR morons do stuff "off the cuff" that gets them sued in approx. 30 seconds, but it happens. Make friends with your boss and get your boss to OK your making friends with Legal (or whatever passes for that) and Accounting. When you can define what the morons in HR want you to do in terms of liability and the cost of risk (and Legal and Accounting will help you organize your thoughts -- it is part of their jobs to look for this), you will have formidable allies agains people putting pressure on you to do things without serious thought ahead of time and proper preparation. YMMV.

Re:Forget it...

We have that here, really (a large oil products company). The policy is that we CAN look at anything we want and we WILL get after you for downloading pr0n and so on. We let you know the policy. As per our CIO, "we might not be looking, but then again we might be -- why not just do your work, as you should be?" It seems to have worked well. In practice, people who are doing a huge amount of time wasting get tripped up by other stuff (like old-fashioned performance reviews) and we occasionally stumble on something, but for the most part we don't bother. We also use site blocking software that mostly works, and that obviates a lot of the issues. And we really don't care, as we feel that managers should, well, manage. If someone needs coffin nails, we are always handy. But that has been an issue 4x in the last 3 years and we have 15,000+ employees. A lot of this is not a problem if you hire better people, too. Making up for hiring guys who cannot keep their hands to themselves/people with religious views that would make Farrakan or the Arayan Nations proud/people who cannot get along with anyone by setting ugly policies is just stupid. We hire good people and have very few problems. People seem to have forgotten this.

Re:Forget it...

Do you know difference between a sensor and a censor? If not then I would certainly not want you in the role of either.

Re:Forget it...

Absolutely... draw your line in the proverbial sand. One of my last sysadmin jobs, had loss prevention people wanting me to install remote viewing software on a client's PC so they could track her stealing credit cards from the company. When I balked at the request, they tried to pressure me by saying, 'do you think its right to steal from the company'... bastards. I said 'no, but if i wanted to bust people, i would have become a cop.' I've since left the company to become an independant and shake the shackles of the corporate world.

Re:Forget it...

As a security consultant for large companies and a big fan of personal privacy I have had HR or some other entity ask me to do this as well. My suggestion is to: 1: Get the request in writing from HR to cover your ass. 2. Be sure that your superior is aware of this request and agrees with HR's approach. 3. Recommend to HR that they send out a company wide email/memo re-stating the companies policies relating to personal use of the companies IT infrastructure about a week before you do the scan. If the company has no documented policy on personal use of corporate IT recommend that they get one published first otherwise if you do find something it will be pretty much useless as reason for discipline. mystik@ix.netcom.com

Re:Forget it...

[jafac]

heh, my 11 year old son got in trouble at school because he got email from a freind of his at another school, she was emailing around dirty jokes.
Fortunately, the school administration understood when the situation was explained to them, and so backed off, after we promised that the sender would be spoken to, and punished. (no email for a month).

Now his freind just sends annoying chain letters, and still hasn't learned that Bill Gates is not going to show up on her doorstep with a Disney vacation, a truckload of M&Ms, and 12 juvenile cancer patients that are cured now that she mailed her junk to 20, not 19 of her friends.

"The number of suckers born each minute doubles every 18 months."

Re:Forget it...

[jafac]

if only I had a T1 line at home. I can get as much porn in 1 hour at work as I can in 5 hours of surfing at home over my 56k modem.

(example provided as sarcasm, and to illustrate a point - personally I fear my company because I'm aware of their policy, that it's their equipment, and I'm a good little worker)

"The number of suckers born each minute doubles every 18 months."

Re:Forget it...

[derGott]

I have to agree with this.

Assuming I was not being watched over my shoulder, I would delete anything I found that was worthy for HR to fire someone over, but not something truly moraly offensive (eg kiddy-pr0n). Perhaps I would send them a "big brother/guardian angel" message, to scare the witts out of them.

Of course, not to raise any eyebrows, I would turn in a couple people that did things that couldnt get them fired (like that one guy who is subscribed to EVERY joke list on the net, and insists on sending it to everyone in the company, and maybe the person who had to CC the starwars trailer to 30 people vs putting it on a webserver)

Of course, this is my humble opinion.

:-)

Enjoy,
Mike

Re:Forget it...

[derGott]

Just ratting out the people who annoy me, like any good bastard operator from hell... Perhaps they should have little "accidents". Hmmmm

*EVIL GRIN*

And now for something completly diffrent...

Mike

(Nothing I say should be taken seriously, as it may cause mental damage)

Re:Forget it...

[SerpentMage]

Said like someone who actually has had to do it... I think your approach is the best approach...

Re:Forget it...

[Peyna]

So in otherwords you're saying that we should recreate the entire McCarthy era? What you've just suggested is the epitomy of MrCarthyism. Ratting out a few people to get yourself off the hook. I have no respect for people like that, and I don't think anyone else should either. It's thing like this that really make the human race look pitiful.

Re:Forget it...

[JohnnyDoesLinux]

BAAAAD ADVICE!!!!!
Imagine a company where all employees were allowed to make up/change policy on the fly...

As far as porn goes... I would expect to get fired as well as I would fire anyone who was caught viewing it. I cannot remember any company that had a policy that tolerates it, and it just plain does not belong in the workplace.

The company usually has the legal right to scan any email (remember Borland/Symantec Gene Wang problems), so it comes down to the choice - you want to DO YOUR JOB or QUIT - becoming a martyr for about 5 seconds (just about the time your replacements butt hits your still warm chair).

As far as it being the "morally correct" thing for the company to do, call Dr Laura.

Re:Forget it...

[Strawser]

I'd definately do it without arguement, but only after getting a guarentee that there would be a *very* outgoing campaign to inform the employees that it _will_ be happening. As long as they know before they mail, and they're using the companies network, it's not a moral issue as far as I'm concerned. If it's private it's personal, and isn't something that should be using corporate computing resources.
Just My 2 Cents.
Eric

Re:Forget it...

[jsfetzik]

Bad idea! Don't make the judgement call yourself. Because if you do and there is any kind of dispute you will be held responsible. Either report nothing or EVERYTHING.

Reporting EVERYTHING actually serves a purpose. Overwhelm the suits with 10's of MB of data every day or week and let them sift through it. If they have to do the work of sorting through it they will soon loose interest.

Re:Forget it...

[deadLetter]

As a SysAdmin, I get paid to keep my systems running - period. I don't get paid to surf email. First, they'll want to check for porn. Then, they'll want to check if people are releasing company secrets. Eventually, they'll want to know everything that's going out in email. Damn Stalinists.

Re:Forget it...

[Field+Marshall+Stack]

No no no, he's not saying that at all. He's saying "rat out" the people who aren't really going to get into trouble, and *protect* the people who would. It's kinda an invasion-of-privacy triage setup.

Level 1: People who won't get in trouble...it's safe to let the bosses have their way with them
Level 2: People who would get in trouble...do everything possible to protect them
Level 3: People who should get in trouble...tell the FBI they've been downloading kiddy-pr0n

--
"HORSE."

Re:Forget it...

[Gyver]

I'm a Microsystems Analyst in a samll hospital. When we began to provide Internet Access to employees, we all signed a short but very fair piece of paper, saying that "Viewing, dowloading, or e-mailing inappropriate material (such as pornography, violent images, offensive language, etc.) is considered grounds for immediate termination of employment."

But exactlly what is considered inappropriate? I mean, I like my porn as much as the next guy. Give me porn or give me death. But, what I consider pornographic may not be what my boss or other co-workers consider to be pornographic. Great care
sould be given in deciding what you sould be checking out on the net.

The companies we work for hires us to do specific
jobs. They give us tools to do these jobs. They give us Net access to be more productive at these jobs. It is not our jobs to be smutt surfing at work. That's something that you should be doing at
at home. This isn't a question about censorship, it's about proper work ethics.

At the end of the day we can all go home and surf
for all the smutt we want. And I know that I for one shall do EXACTLY that!

Re:Forget it...

[tommck]

Is it possible to guarantee that those people won't get into trouble?
Nope!
I was fired for forwarding on a joke about Ebonics from a mutual fund company a few years ago. I didn't make it up. I didn't even send it to the person who was upset. My friend thought it was funny. He forwarded it to someone else. That person printed it. Yet another person read that and *I* got fired!
So, don't make decisions on who will and who won't get fired. You may be wrong.
~~~~~~~~~~~~~~~~~~
Tom McKearney

Re:Forget it...

[stanlee]

I was a contractor at one of the largest companies in the world (in this case, a chemical/plastics plant). I lost my job over an argument with 'real' company 'administrators' (who often needed help with sharing a drive in NT) about whether or not I was allowed to encrypt my e-mail with PGP.

It seems PGP presented some problem for their e-mail scanning software. Something about a 'security violation'.

Privacy?

Re:Forget it...

[christoff]

Exactly. Then suddenly the administrator is given the power to get anyone hired and fired...which in a way, we kinda have anyway. The questions not whether you have it, it's will you abuse it. abusing by using it to violate peoples basic rights to privacy is for weasels.

Re:Forget it...

[Canard]

Get what they want in writing. This accomplishes two things: 1. Covers your tail in case of any bad legal goo, 2. Chances are they will not be particularly explicit about what they want you to do (they're HR people and probably don't know alot about the systems). Thus it will be up to your discretion as to how intrusive, or more importantly, unintrusive you are.

And if possible, make a martyr out of that guy who has a complaint every 5 minutes!

Re:Forget it...

[galileo]

Ah HAH! You gave yourself away, Coward. "tell my boss that he needs to up my pay, for doing a task that is distasteful" pretty much nails you as someone who would surrender privacy because of personal feeling about porn.
Just because business has managed to manipulate our rights up to this point (in separating personal life from work) doesn't mean it is justified. If employers would make the workplace a more friendly atmosphere, there would be fewer problems. Workers should be judged on their productivity, not what they do during downtime.

Re:Forget it...

[galileo]

Let's all look at this from another perspective. Ignore the bandwidth problem; there are ways around that. And assume that most people are smart enought to not view porn at work.
So, the employer gives you space to work in, right? A cubicle, or at least a desk. Some supplies. However, we do bring personal items to enhance the work atmosphere, don't we? We put these on the desk, wall, and in drawers, e.g. in the employers space. Do these items then become the property of the employer? NO! Why, then, does a file or an email become the property of the employer just because they exist in the employer's server?
IT'S THE SAME DAMN THING!!!

Re:Forget it...

[Peyna]

Is it possible to guarantee that those people won't get into trouble? Idealistically (and I think we all must agree that the entire linux "movement" is pretty idealistic, as well Americans as a whole (sorry for excluded everyone else, I don't know what your countries are like, so I don't want to include them unknowingly)) your plan would work great, but theoretically, I think that the only way to do it, if you feel that this is an invasion of privacy in the workplace, is that you should go up to those who told you to do it, and let them know that. If you value your job enough, and let them know it, I doubt they'll threaten your job with it. That, or demand that if they won't do it themselves, that you'll simply cover everything up. I think that'll make em think.

Re:It is the company's property but...

You probably gave up those rights in the massive stack of papers you signed when hired. Either that or the employee handbook additions you received gave prior notice.

Re:Respect for privacy is a job requirement.

You have a good point there. From my perspective, I'm frequently at work 9 - 8; including commute time, that expands to 12+ hours away from home. In other words, I'm never home when I might be able to call, say, a repairperson. I _expect_ to be able to make personal calls while I am at work, since it leaves me no other alternative! Similarly, I check my personal e-mail from work, so I have a chance to respond in a timely fashion to messages that require it. (Like billing notices from my ISP which I have to call during business hours.)

Since I don't get paid overtime, I feel that a certain amount of use of company resources for personal business is more than a reasonable trade for an extra 3+ hours of my time per day. Were they to have a problem with that, I would simply have to chose to leave work at 5 every day so I could get stuff done. It is blatantly unreasonable to expect/pressure people to work long hours (who doesn't, these days?) and then refuse to let them try to cope with what's left of their life.

This has somewhat strayed from the issue of scanning for prOn, but I disagree with the people who are flatly claiming that everything on the computer is and should be the company's and only business use is permissible.

Too bad you don't have a union contract

It's true that unless individuals have a contract to say otherwise, the boss owns your 'private' email as far as your boss or the government is concerned.

Chances are, they won't make any exceptions to the policy, so an individual contract is out of the question... on the other hand, if you all got together and demanded that your email be private (perhaps with an exception for people that repeatedly abuse bandwidth restrictions)... then you might get it.

Porn Should be Free... with Beer

Proprietary porn is a thing of the past. With the Open Porn Proletariate, the OPP (yeah, you know me), we will finally get rid of the impediments to innovation that has stagnated the current industry.

It's about freedom, man. And I mean free as in FREE PORN and FREE BEER.

-Larry
OPP, help us spread the message.

Warn then Scan

If you are worried about your job, why not simply send and email to everyone informing them they will be scanned. Give them time to clean out their porn lockers and then do the scan.

Re:Warn then Scan

Infact, give them a days warning before each and every scan. If the PHB makes you scan into everyone's mail too often, the staff will get demoralized, and productivity will drop, drop, drop... :-)

Selling your soul

I might not be making the big bucks like I'd be making as a sysadmin at General Motors, but I haven't sold my soul for a handful of silver and gold either. At my current employer nobody minds if you send an occasional EMAIL to your mother or brother, nobody cares if you read Slashdot a couple times a day, and everybody has Internet access. No, the only thing that matters is getting work done, and we get work done big time.

-E

Incoming or outgoing?

Are they wanting to scan incoming email or outgoing email? I have a much more limited control of the incoming email that I receive. If any joe geek wanted to play a dirty (heh!) trick on me, he could send me some smut. What can I do except hit the "delete" button? And they would want to fire me because of joe geek's trick? However, if I signed up for some smut email list (do they exist?), that is a different story. Also, if I was sending out smut from the company's email system, that's a completely different story.

Re:Go ahead and do it.

1) Write a script to scan for "obvious" string combinations. Sex or Fuck by itself is okay, but either in combination with .gif or .jpg... 2) Send mail to yourself. 3) Visit the person *in person* and let them know that (a) they're busted and (b) you accidentally deleted the records, but not to count on that happening in the future. I "colluded" on a very similar system involving web logs at a prior gig. The head NT guy was responsible for terrorising the users, I provided him with the targets, and we both laughed our asses off at Starbucks after.

Sexual Harassment

Porno on the job site == losing sexual harassment suit.

Employees have NO right to use company equipment for personal use. Use the company account for company business, personal account for personal business.

Don't put anything in email that you don't want to testify in court about. Using words like "negligent", "hazard", etc. is really, really stupid. Your email may be archived every night, unless you set a policy to delete email backups after some fixed period. Anyone who wants to keep things longer should make their own copies. You are not obligated to provide fertile fishing grounds for trolling lawyers.

Re:Sexual Harassment

[Delphinios]

Ok. I Have an idea. If someone is downloading porn and keeping it to themselves, what is the problem? if someone else happens to see it, and find it offensive, then the problem starts. i think, if reported, then the person who has the porn (or other offensive content) should be warned, and if reported again, diciplinary action be performed. this would root out many privacy issues and make the overall situation better in the long run. It really pisses me off when someone finds something even slightly, then without trying to rectify the situation, immediatly cry out "LAWSUIT". This is ludicrus and plain stupid. If you are going to monitor the people's accounts, definately warn them. to do otherwise would be wrong IMHO, though it is still an invasion of privacy.

Re:Sexual Harassment

[chown]

I beleive the best way to go would be to send out a message to everyone saying that they are going to be watched. If that doesn't scare people into not doing whatever it is that they were doing, I guess it's too bad if they get caught. Now if they're asking you to monitor and report people WITHOUT them knowing about it, that's bad, and if I was in that position I'd like to think I'd refuse to comply on moral grounds, but losing my job would be pretty strong motivation not to.

Re:Sexual Harassment

[ticklefoo]

Good Point. When I defaulted to the dir. of IT at my company, (I was the only one left in a downsizine, I have no staff), I was shocked and appauled that they forced me to go to a sexual harrassment seminar. Them I found it was state law.

At my company, sexual harrasment is in the eye of the beholder, so anything discomforting about the workplace can be deemed sexual harrassment by those go so far as someone touching someone too much or a poster of a hot chick leeringly promoting a chat site on a CD cover can be considered harrasment. Lawsuits scare companies. All money must go to stockholders.

Their answer has been to have zero tolerance policies against SH.

I found myself telling another manager that a screen saver on one of his users' machines was could be considered offensive to others that might see it (it's a 50's pinup photo with a woman wearing stockings.

Then again, one guy and the guy I replaced were notorius for downloading porn at work.

Ramble, ramble ramble...

It's the same as stealing

Hijacking your employers network bandwidth for personal use is the same as stealing. You are paid for your skills/services and you should deliver the goods.

As for the sysadmin's role in this, it is your job to make sure that your network is being used efficiently for business. Unless "the joke of the day", nude pictures, erotic stories, used car prices, chat rooms, etc... are your business, they probably don't belong on your network taking away resources from people conducting business.

I'm not saying that you should go on a "witch hunt" for offenders. If you see someone who is doing more play then work, send them home with a pink slip so they can get their rocks off. When they are ready to conduct business they can collect their pay again.

By all means, ignore the occaisional 10 sec visit to whitehouse.com. You should, however, at least send a stern warning to the one who sends the video clip of the guy beating his computer to all of his buddies.

Also, keep in mind who is in charge. Unless you're an entrepreneur, you probably don't own the network and you are merely hired help. If your managers come up with a policy that you don't agree with, state your position on the matter and explain why it is not a good idea(sometimes it is better to just shut up).

Managers usually have a reason why they do stuff like this. The driving force is usually economic and will probably benefit both you and your company. Sometimes it's just a misguided decision and you should tactfully provide some guidance. This is probably a good candidate for another discussion.

Re:France and Privacy

I don't think France could handle the Slashdot effect.

Re:Scan their mail

I work 12 hours a day or more, and you're worried about me wasting time on porn during my coffee breaks?

The only thing that matters is whether the work gets done. If I had company security peeking over my shoulder to make sure that I never visited Slashdot or sent EMAIL to my mother on company time, I'd give the company the exact eight hours a day that it asks for.

That kind of mentality on the part of General Motors is why General Motors is the least profitable of all the major auto makers. Productivity is about getting things done, not about time and wasting therein. If taking a couple of coffee breaks to read Slashdot increases my productivity by 50% due to the reduction in stress level in my environment, I have more than made up for any "waste".

-E

Gender free pronouns.

When one wishes to refer to one's fellow without invoking terms of gender, ther are options built into the language which one may exercise. One may find oneself sounding a bit archaic, though.

It could be worse, remember when English, like French, had formal and familir ways to say 'you'? 'Thou' being the former and 'the' (pronounced like 'thee') being the latter. Of course, the th sound was represented with a runic character called a thorn (not one of the current 26 letters used in English and now obsolete. It looks like a p but with the vertical line extending up as well as down). When the printing press became popular, there was no thorn character on it, so the character that looked the most similar was used. This was a 'y'. So 'the' was written as 'ye' (now obsolete) and 'thou' was written as, you guessed it 'you'. Pronounciation since changed to follow the new spelling.

Slashdot trivia! I love it!

Re:Gender free pronouns.

[jafac]

The irony of all this is, English has lost it's previous third-person plural: "thou", for "you", which is both plural and singular, which has the potential for confusion.

Yet, when folks in the South try to remedy this situation by using "y'all", to overcome an obvious deficiency in our language (lack of clear distinction between third-person singular and third-person plural), they come off sounding uneducated/rural/provincial.

"The number of suckers born each minute doubles every 18 months."

Re:Gender free pronouns.

[azz]

"Them" or "the user".

"I want to use software that doesn't suck." - ESR
"All software that isn't free sucks." - RMS

Re:Gender free pronouns.

[Dwonis]

How do you say "him" using the term "one"?
--------
"I already have all the latest software."

Re:Gender free pronouns.

[Eleniel]

OK, there is only so many lies one can see in one post before one has to reply.

In Elizabethan english, there was both a familiar and a formal version of the second person singular pronoun. The familar version was "thou" or "thee" Thou as the subject of a sentence: "thou hast a chicken on thy head", and thee as the object: "I despise thee." Neither of these words were every written with a thorn.

Ye is a formal variation of the plural "You" as in "Hear Ye! Hear Ye!"

The Ye of "Ye Olde Shoppe" is however a transliteration error - it is pronounced "the".

Get your trivia right.

Re:what I got away with at IBM

...further proof that there is a form of conciousness working in "the system".

do the scan

and sit on the results for a long time. make the scan bad / incomplete. The HR department should tell everyone what the company policy is before starting the scam^Hn. Scan the HR department first, then the president, the work your way down (scan the HR department for OFF SITE, or non work related email, and formulate a nice spreadsheet of where they spend their time).duh.

Waste of time and talent

If there is a specific reason or cause to check into an individuals use of company resources, then fine. But the moment my employer starts asking me to indiscriminately check everyone's email for naughty words is the day I pack up and leave.

If they are having productivity problems, then deal with it at the source; talk to the employee. But if you have to peep through people's email to find a reason to fire them, then you don't belong in a position of authority (unless of course you just get off on reading other people's naughty email).

I'm tired of "the man" thinking that they own you just because they pay your salary. If I'm on a break and want to write an email to my loved one and include a few naughty words, I don't think that is wrong (but I encrypt all of my email, so I don't care if they scan it anyway). I've turned down jobs after they tried to get me to pee in a bottle, and I won't even consider any that require drug testing.

I'm at Pet Smart the other day, and they have a big sign on the wall saying "Our employees are 100% drug free!", and that all their employees must pass a drug test. Why the hell do you have to be drug free to sell 40 lbs bags of dog food, and why the hell would I care? I go their to buy food for my dogs, that's it. I don't care if the stock boy getting paid minimum wage goes home after work and smokes some weed. And why the hell would anyone give up their privacy like that to work at Pet Smart?

The more we give, the more they take.

Re:Scan HR's mailboxes

Hit HR, hit bigwigs w/attitudes, hit anyone that's wronged you. Make it work for you.

Re:privacy advocacy

When I have to type more than a few sentences in to a little tiny fucking non-resizable window I sometimes miss grammatical errors I have made by trying to edit via cut & paste. Forgive me!

This is one of the endless reasons I hate HTML and the bastards it has spawned.

Re:You don't have the privacy right (nor should yo

As a former sysadmin at a large corporation, I'd say the HR department had a bigger productivity problem than employees peeking at tittie sites. Sounds like the atmosphere is demoralising and the HR folks are part of the problem. --Louis

Put the boot on the other foot

Dont know if this has already been said, but if you do decide to read peoples email, then if you find anything disturbing, then YOU can sue the company for imotional distress. Just let them know that, and they may reconsider.

Legal schtuff

While you, as a sysadmin, may really not care what your fellow cow-orkers are doing on their computers, you need to keep in mind the legal ramification of porn and other objectional material running rampant on the company network. Quite simply, it can lead to harassment charges, as porn is bound to offend at least 1 person in any given office. Heck, a city hall near where I live had to have a nude (tasteful nude) statue removed from an arts display in its lobby because someone complained that they found it sexually offensive. While you might say that if it's in email or a browser that other people shouldn't find it, mistakes do happen, and people forget to clear the cache/history list, or log out of email. Your company has a responsibility to provide a harassment free environment for ALL of its employees, and that means that a common denominator must be found - generally meaning G rated material only.

its the companies equipment - get over it

there isnt any discussion really. the users dont have any rights in this case. The corporation owns the equipment, the bandwith, hell the chair hes sitting on... and if the user is doing it during hours, hes stealing time too... just for the record they SHOULD be fired..

Re: Hentai, Japanese child porn

Think about it for a minute...
Child pornography is not outlawed because 'god doesn't like it', but to protect children from abuse.
Now who gets hurt if a Hentai artitst draws pedophilia scenes?

Re:scan, and say you did.

>And what about the person who was out sick for two days and comes into the office and just happens to be the person that day to hit a pron site?

If the first thing that person does is deleting all mail and going to a porn site, guess they should be fired...

chalk it up to Darwinian weeding

Y'all are missing the boat with worrying so much about this one. Assuming that the company policy is clearly communicated (and maybe even if it isn't clearly communicated), anyone stupid enough to be handling porno at work and not deleting it immediately (perhaps after a quick peek) deserves to be trimmed from the company gene pool. Morality isn't relevant here.

Try working for THE MAN

This has been a nice discussion about a difficult subject (compare this to the G4 discussion). I work for the Man (US Gov/Dod) that has extremely restrictive official policy about computer use and abuse. The key thing is that the users have to officially notified about the established policy.

I once had a phone conversation recorded and scrutinized for possible security violations (I was talking to a military officer at another DoD facility). No security violation but there was one little problem; during the conversation we talked about how the ppl in the top command positions were essentially idiots. For a while I could not understand why the enlisted and lower ranking officers were treating me so nice when I visited their facility. Apparently the content of my conversation was "leaked" to the folks at the facility.

Here's my question and comment. If one has to monitor computer network traffic, how does one handle anything that negatively reflects on upper management or other related topics? I not talking about porn. For instance, what if one finds someone steadily going to job search web sites? What if you work for MS and you find one of your workers constantly going to this site (and he/she is not one of the offical MS designated FUD-meisters/Trolls)? I believe that you have clearly stated the ethical solution. I got to check out SAGE.

privacy in the workplace

I concur, don't rat. But what issues are we talking here? If a person is into porn on company time, who is paying for it? I'm not into ratting but an employer pays you for work, and i dont think porn fits into the schedule unless ur a porn site. How much do you feel about work ethics, "A days work for a days wage"? I take the issue that I must admin the site, but there is leeway. warn the offenders one time! next time they are on there own.

Re:Corporate vs Individual Rights

Free Speech? OK, you have free speech outside the workplace. Inside the workplace, outside, wearing your corporate badge (placing you "on the clock") ain't free- the company is paying you to speak on their behalf or not to.

Once, at a company site, the fellow running the News Server told me that only WAREZ was blocked- all the other groups came through. He had indicated (to management, way up high) that this wasn't his full-time job, just one he was press-ganged in to, and he wasn't being paid enough for that task to justify his maintaining a properly "censored" newsfeed. He did tell me that his primary concession to allowing any of the alt. groups in was by making their expiration times short.

Back to e-mail... ...any pr0n scanner would need to recognize pr0n-centered spam and ignore it (though I suspect some sysadmins, upon finding an interesting mailing list, may copy down the subscription information... :-) :-) )

OK, make sure the suits are gonna pay for overtime and the compute/storage resources for this job on a continuing basis. It doesn't hurt if the suits make sure that they have a reasonable policy, too.

Due to spam, there can't be zero tolerance for this traffic.

(I've actually thought that students could have their web/netnews reading habits reported to a school psychologist as a form a diagnosis- but who watches the watchers?)

Make sure any scans target the guys WANTING the scans first- If the watchers ain't keeping themselves clean, nobody else can be held to any higher a standard.

(I've always worried about companies where there are "secure" fax machines for the finance people... ...but this mostly applies to the smaller companies.)

-soup (too hosed to log in)

Re:Get the hell over it

My point exactly. People don't understand the value of anonymity or privacy.

However, the people in power value both greatly. It is to their great benefit for you to have neither privacy nor anonymity (nor any rights or priveledges, for that matter), so that you can be controlled and manipulated easily. If you value your freedom, fight for anonymity and privacy.

Re:Right? What right?

It is not a right, but more of an working policy I would demand to have to be working at any place. I don't understand, espesially with all the demand on computer workers, why anybody would work under such conditions.

I think that as long as an employer produce what he/she is expected todo you should leave them alone. If production goes down, and that's easy to spot, you can ask/find out what that person is up to in his working hours...

I do personal mails from another account, but I have online access to it from my work station. In todays Internet world I would not work in a place where I could not monitor my personal mail. It's not like I use a lot of time on it. But I'm accessible, and that is important to me.

I also think it is in my right to keep me updated by reading a few selected web pages for information. Slashdot included :) This I use aproximately and 1/2 hour on each day (a little more on mondays).

Re:privacy advocacy

Just because Slashdot makes a joke out of their derision, doesn't mean you should let it slide. They're definately not doing it to support anonymity or privacy.

What they're basically saying, though humorously (as you so insightfully point out) is saying that you're a coward for not using your name. This is complete and utter bullshit.

Enough said.

Re:Respect for privacy is a job requirement.

Damn straight. Its not like IT/CS people are having a hard time finding jobs. I would never take a job unless I was given my privacy (ie no email scanning/drug tests/snooping). I can understand if something illegal is going on.. but snooping for porn is just stupid. If someones productivity has gone down due to porn, tell them you will fire them if they dont work harder. Simple as that.

Pointer to some references?

I'm surprised nobody is pointing the poster of this question to any further articles or posted laws. Oh well, here's an analysis of the ECPA: http://www.ruel.net/privacy/ecpa.html that was published in a law journal. I'm sure there are others.

I agree: scan with fair warning, but....

If they tell you to scan without warning you
are indeed in a pickle. I have this thing about
lying. I really can't[1]. Well, not a barefaced
lie. So I'd have a hard time
saying that I did scan and didn't find *any*
files matching {female name}{number}.jpg or
whatever.

I think I could, however, drag my feet
implementing the scan (doing it in, say, C++
with a complete rose diagram and class validation
before starting to debug, or perhaps visual cobol)
while either letting
the information slip out or looking for another
job. Or both!

In any case, the poster is between a rock and
a hard place.

-- cary

[1] One place I worked had this incredibly
fake IS9000 stuff. I had to tell them that
they absolutely had to keep the inspectors
away from me. They did. Is that wrong?

The French fought encryption, remember?

If I recall, France only recently gave in to allowing its citizens to use encryption.

They've also been known for industrial espionage, getting caught snooping on IBM France a decade ago (hey, we do it too, but at least Echelon has a cool name!).

By passing their privacy laws, France is doing what the U.S. Congress did when it prohibited listening to cell phone calls: assure the public that the problem doesn't exist while saving the best stuff for itself.

Do as you're told, and be sued

I personally would quit my job before I get involved in this. You could be named in a lawsuit.

Sure, the law might be on the company's side, but they might also not worry too much about settling for a few million or spending half a mil on attorneys fees. Such an amount could wreck your retirement plans.

Re:Are we moral sensors now?

More importantly, it is simply grammatically incorrect. Why butcher the English language for the sake of being politically correct?

Or in this case, factually correct? The non-gender-neutral use implies an untruth -- that the speaker was talking only about males.

Do you follow grammatical conventions all the time? Specifically, how about your placing of question marks and commas at the end of quotations?

jsm

But what do you do?

When you know an employee is viewing non-business related materials for excessive hours? Like he said, I know of a few people that look at porn in the office for a good part of the day. Their workflow fucks everything else up? I'm not a rat, but dammit, your not paid to wack off, do it on your own time.

Re:But what do you do?

[jflynn]

If their workflow is "fscking everything else up" why don't you fire them for that? Isn't that enough?

It seems to me that scanning email for porn is less effective than firing those that aren't doing their job for whatever reason.

Waiting 'til someone gets spammed with porn then firing them is too easy to abuse.

The liability of the company for contraband and sexual harassment is another matter. The company should define *exactly* what they wish to ban in that case -- it shouldn't be up to a sysadmin to make decisions about liability or morality -- they haven't been trained in those fields.

Jim

Re:But what do you do?

[MindStalker]

I'm willing to bet you know about those employees who waist their time on porn from personal experiences with them/complaints you hear from other employees. My point is that usually it does not take a packet sniffer to find out when your employees are waisting their time at porn. I know in my office there is atleast one person who does this. But the management already knows about it, and realizes that if they choose to do something about it, it doesn't require invasion of their privacy to fire them for such acts. (and they don't want to add another stess level to me by forcing me to impliment such a system)

Re:privacy advocacy

It is valid to compare drug testing to mail scanning, because invade your privacy. Neither one's possible drug use nor the contents of one's email are any of the company's business.

That's first.

Second, performance testing would be more effective in stopping fatalities caused by truck drivers, because alcohol is legal and is not tested for in drug tests, and it certainly causes greater impairment to one's driving than light recreational use of many drugs (especially if its done after working hours).

Third, kiddy porn is not the point here. What the poster was complaining of was any kind of pornography, most of which is perfectly legal.

Finally, the content of one's email is one's own business and responsibility. If the line is drawn between one's personal and business afairs (as it should be in this case) it will be clear that a company should not be held responsible for the personal affairs of its employees.

The price of doing otherwise is to great: it is your freedom and your privacy.

E-Mail Regulation

Right now the company I work as an IS for blocks porn sites, sites dealing with illegal activity and hacking sites. Recently the Boss told us to monitor who gets how much email from the "outside world" not related to work... we are struggling with it 'cuz some amount of external email is good stress relief, etc. We're trying to find Tao while still appeasing da Boss --phil

I Feel Your Pain

I am an admin at a fairly large company. One of my duties is to 'report to management on inapropriate usage of the companies network resources by actively monitoring those resources for such usage' or something like that. I had to sign a kind of 'nondisclosure' agreement which is why I am posting anonymously.

Privacy

Actually, we have the same problem with our company (Australian Based) but according to the law (In Australia and maybe the rest of the world) you can scan or read users email for Quality Assurance purposes etc.. And as long as you tell your workers that their email will be scanned and read...

Re:write a script...

My normal .sig has a line of:

"As a SysAdmin, I could read your e-mail... But I don't get that bored"

...which is probably pretty inflammatory, eh?

Of course, one wag suggest the following addition:

"...because I find your files far more entertaining".

Now I'll have to go and change this! Darn!

(I also used to have "No man can EVER learn about impotence the hard way" but I had a co-worked a couple of years back indicate that maybe this'd be a bad idea...)

*SIGH*

It seems that humor itself can be considered endangered...

-soup

But when is child porn not child porn?

Child porn. The canonical Bad Thing that must be stopped "no matter what". Or is it? When can gov't go too far? Here's a real example.

There's a lot of animated child porn out there and all-CG (computer graphics) child port that is getting more and more realistic looking everyday. Technology will only further blur the line between what's real and what is utter fiction and fantasy. NONE of it requires, needs, or involves the use of any real children at all. But many states (FL, NV, others) have already outlawed the production, import, and sale of such media. This is going too far by the gov't. When I can go to jail for drawing pictures or writing stories about adults and minors having sex, i.e., for using mere paper and pencil, there had better be bells ringing, because gov't is seriously fucked up. Of course, no one will want to stand up and pubically defend the rights of people to produce animated/CG child porn. It will never happen. And when legislation to outlaw it appears, politicians must vote on it and either be "for child porn" or "against child porn". What will they choose? Duh. Maybe animated/CG child porn will keep some people jollied up enough that they get off and won't go after real kids. But no matter, all of our rights will be eaten away of our own choosing because we want to be accepted and fit in and look favorable to our society, even if we have to flush every one of our rights straight down the toilet to do it. Peer pressure. It isn't just an adolescent problem. It never really ends at all.

Re:But when is child porn not child porn?

[PG13]

Why has the post "But when is child porn not child porn" been down-moderated!?!? It was a reasonably well written post bringing up an interesting issue it didn't even contain anything abusive.

I always thought moderation on slashdot was supposed to kill "me too" or "first post" type posts and elevate paticularly good points not suppress interesting posts

Re:But when is child porn not child porn?

[Tack]

But many states (FL, NV, others) have already outlawed the production, import, and sale of such media.

It is the same here in Canada, too.

In fact, it is worse and much more twisted than that. The age of consent in Canada is 14. However, the depiction of anyone under 18 in a sexual act is considered child pornography. This means I can legally have sex with a 14-year-old, but if I write about it in my diary, I am, according to the law, in possession of child pornography.

Orwell wasn't too far off. This next step -- and it's not a very big one -- is the Thought Police. It scares the hell out of me.

Forgive the offtopicness of this post, but I couldn't resist the rant.

Cheers,
Jason.

Re:But when is child porn not child porn?

[ambiguous+reference]

Images depicting having sex with children as a gratifying and positive experience are pretty likely to encourage pedophilia. Hate speach encourages hatred. What people say (or draw or whatever) does affect other people's opinions and how they act. If it did not, there wouldn't be much point in having free speach.

When someone willfully disregards the effects their speach has on others, they are behaving irresponsibly, and at a certain point that irresponsiblity becomes criminal.

Re:Liability?

If the price of privacy is the elimination of a companie's liability for an employee's private life, then I'll gladly pay it.

As for your other point, companies are not the grantors of privacy. Privacy is not a priveledge, and private corporations should not the guardians of it, if it were. It is up to individuals to hold on to their privacy... to fight for it if they have to. Companies should be grateful they can invade our privacy as much as they already can, without trying to strip us of it completely.

Re:Corporate vs Individual Rights

just one question.. I know you all are going to shoot me down but when is reading or looking at something illegal been involved with free speech... I can't read something that has been deemed top secret (either by a company or the government) for fear of prosecution of espianoge (industrial or otherwise) and I doubt that anyone wouls say "I was exersising my 1st amendment as an excuse. so would the same be for illegal porn? assuming that of course that porn is illegal or that whatever you look at is illegal... it is an offence to do it and therefor how is it a cencsorship of freespeech? next people are going to say that not being able to shoot up is inhibiting their free speech and what next? killing people in the name of freespeech? I relize that the last two examples are overdone and I'm not inviteing any controbersy about otherways to argue this .. I'm just saying that freespeech is used as the catchall on the internet way to much..

Re:privacy advocacy

Indeed. For some unknown reason, I cannot even make an account here. I type in Nick: trrem44656i (a random sequence) and it says: Your nick is already in use.

Where I worked..

We scanned the network for porn and only got in trouble if we didn't share the passwords!

Re:privacy advocacy

The position of the American Civil Liberties Union should be to protect individual's civil liberties.

Companies have no rights or civil liberties to protect. They have no "right" to "monitor their stuff" or any other kind of right. This is fundamental. Anything that corporations are able to do, we as individuals grant them the power to do. If they can invade our privacy, it is only because we as individuals let them.

Privacy in the workplace ? What is that

I'm afraid Cliff is completely right, alas. The HR dept can do whatever it wants, and the sysadmins shout "Sir Yes Sir" and proceed. There are just a few practical arguments to oppose this kind of action.

It uses MIS resources for a really stupid thing, that is MONEY. It should be billed back to the HR dept.

It's nearly perfect to trig a good heated feud among employees, and destroy anything close to trust among them.

Taking any form of disciplinary or legal action against an employee based on received mails can be quite dangerous for the company. The company must prove the mails were actively solicited. Good luck ;-)




~~^~~~^~~~^~~~~~~~~~~~~~~~~~~ Ooops ... too bad.

Re:privacy advocacy

Perhaps privacy is an ideal.

It is only by sitting still and allowing corporations and the government greater power, and stripping individuals of their power that we come to the sorry state we are at now. It is only by striving to win back this power that things will improve.

As far as RSA, and other cryptographic systems, are concerned in relation to privacy, have you ever heard of steganography? It is much less understood than conventional cryptography by the public (which is woefully ignorant of the issue as it is), but it is a great privacy resource that has yet to be cracked.

Do a web search on it.

I've had to do this before :(

This is a task that I've been forced to do in the past. I strongly disapprove of it, however it is the companies property and not the property of the employee. Unless it is stated in a policy somewhere that is is employee property

The way I dealt with it was:

Only scan email when there is just cause

Only scan for information related to the problem

NEVER ADMIT to an employee that this is being done. Just say you cannot comment on those topics.

You are in control of this information (assuming you're the sysadmin), so be moral about your actions. What you read is not to leave your mouth, accept to very specific supervisors who request the information

Always remember, no matter how much access you have, someone somewhere always has more.

The few times I have had to do this were not pleasant, however they were related to illegal activities, and breaches of contract, and not snooping for porn.

Re:I've had to do this before :(

[DJerman]

I admit freely that we scan, but I'm careful not to say who we've scanned or when (to remind employees to be good). I repeat the policy that all requests must come from a manager of the employees being scanned, and that all requests are approved by an IS director, to prevent abuse both by managers and by me.

Of course, I never say what we find except in my report, which is delivered by hand...

I never like doing it, but I don't like the idea of slaving away while someone, somewhere is making my job harder in order to slack off... but making it known that they really are watching can have a couple of effects: the employees are less likely to engage in bad behavior (accomplishing HR's goal and making you feel less guilty when you don't find anything) and they're more likely to pressure management to stop it (or go somewhere else to work).

My only other contribution is to suggest that if you're going to be put in this situation, ask to be made accountable for such invasions of privacy. That is, ask that at least two managers approve each request for a scan in writing. That'll either get you fired or make them think about their actions. Either way -- problems solved :-)

Re:I've had to do this before :(

[norton_I]

This seems like fair and equitable way to do a dirty job. What I object to is periodic complete or random scans.

Re:Right? What right?

The question isn't wether its right or wrong to download porn at work. The original question is wether its right to scan people's e-mail for the porn, regardless of wether there is any suspiscion or not. pardon the typos, i havn't slept in a wile

Re:Are we moral sensors now?

i will have to agree. i think that if you work for a company and they have policies of what is supose to take place on their network, then that should be followed. I don't have a problem with someone looking at my company email or my computers that i use at work - its the companies property. If you want to exercise your freedom of speech, then do it on your own computer on your own time. I do have a problem with someone monitoring my personal computer use.

cuz easier to sweep touchy issues under the carpet

than to dace them in a public forum. Moderating such topics down is the 'politically correct' thing to do by decree. Heck, I'll bet a lot of /. ers on this thread post as AC because they don't want others to know that they ever discussed this issue. (myself included)

Re: Hentai, Japanese child porn

Dean Siren wondered how the Japanese deal with child porn/Hentai. I've never been to Japan, so this is second hand data, but I've heard and read that up to 10% of Japanese teenage girls have participated in some form of prostitution. So perhaps the pervasive manga help create an atmosphere where sexual exploitation of teenagers is not considered a big deal. I'm not going to pass moral judgement here, but I certainly hope that my daughters aren't convinced to prostitute themselves because the rest of society doesn't give a damn.

Re:what I got away with at IBM

Really? I work at Dell, and when I was in Tech Support, I was actively encouraging people to check Usenet as a resource (with my manager's wholehearted agreement, BTW). Of course, Dell has fired more than a few techs for surfing porn sites, although I've never heard of anyone getting canned over email... --Anonymous for the obivous

Re:privacy advocacy

Whether an employee is impaired (by drugs or other factors, such as lack of sleep) is the proper domain of PERFORMANCE TESTING, not drug testing.

Performance testing also has the added advantage of not invading the employee's privacy.

Re:Scan HR's mailboxes

I like it!

Re:Not allowed here...

Well, how are things in other countries? In Australia, at my Uni, you have no rights to privacy. The usual AUP is that you agree to surrender all rights if you want to use the system. I can't really do anything, cause I'll fail - course, they could be monitering this right now. The worse thing is that they leave terms undefined, so that they could retrospectively change the rules.

Re:scan, and say you did.

No one will care 10 minutes after they get the email. And what about the person who was out sick for two days and comes into the office and just happens to be the person that day to hit a pron site? Does being ignorant of the fact that porn can get him fired exclude him? This whole issue is hard to come to grips with. Scan everything? Scan nothing and say you did? Say you will scan and "hope" no one is being nuaghty in thier cubicle or pick out the office ahole to pass along to HR. I pick Ahole . Well unleess you're the ahole.

Nail the hypocrites

Catch one or two of the morons in the Human Retards department, and they'll have gotten what was theirs.

Re:Are we moral sensors now?

Perhaps you should do a bit of studying on the subject of child porn before saying something as (not meant to attack, its just the proper word) ignorant as "Maybe if we only banned commercialization of child porn images less children would be molested. If they themselves weren't going to be thrown in jail we might have more informants on who is doing that actual abusing. " Watching child porn encourages these sickos to go out and either make the films themselves, or attack us and our children. They don't stop at just watching the porn, and its definately not a cure for them. Watching the filth just makes the idea of having sex with children manifest in their heads. After awhile, they take (more) action.
Kids who get violated this way suffer for the rest of their lives. Children should be protected under any circumstances. Its obvious that you are not a victim of child abuse. Any laws that give slack to sexual offenders were probably passed by those who never went thru the torture.
Before I get too into this, just visit this statisics webpage.

Questions of ethics

Although sexual harrassment suits are a legal reason, I think companies often resort to such measures because they can. Someone genuinely believes that employees are ripping the company off. Porn is a great scapegoat because it is difficult to defend, but companies have been starting to crack down on people who want to check their stocks or read CNN, which degrades the work environment. I probably would not work for such a place unless they paid me a lot. Its my experience that HR folks do not originate orders to spy on people; such orders came from someone else. In one company I worked for, there was a probe because of a real incident where someone put porn up on someone else's computer -- terribly bad manners. HR might not be able to tell you about a specific incident like this for their own privacy reasons, so they ask for all the information. If it is their intention to generally probe for any "misuse", HR should know that the consequences of doing such probes. If you are in a high technology company, or one where people are paid for their creativity and work extra long hours, the effect in all probability will not be positive. HR should understand that. Since you said you work for a large company, you should consider taking this up outside the HR organization. Some companies have an "ombudsman" or similar position that might listen to you. Make certain that your misgivings are stated on the record. If you are right, and you stated your viewpoint well, you will gain credibility. If you are wrong, well, at least you are polite and professional.

Reread it:Phone calls vs. E-mail

He states further down how systems past a companies PBX are (more so) the companies property.. and thus Ever been on the backend of a phone system? Plus the legality of it changes since many call centers inform your prior to the call being connected (for incoming calls), providing you the option to discontinue the call if you find it objectionable. The big problem is not monitoring, but non-consentual monitoring..

How about LOSING your job?

Remember, if you wrote "loose," you probably meant to write "lose."

Re:SSH

I like the SSH idea, but I seem to detect a scarcity of good, free SSH clients for NT (which is what I use at work.) Would anyone care to recommend one?

Go work for a portal and get paid to surf porn

How do you think the portals categorize this stuff?

Re:What you should be looking for...

Like all sexual harrasment issues, I don't think it should be acted upon until somebody complains. IE, if joe is looking at porn when somebody walks in and is offended, he is toast. But it is ridiculous to search for porn because it might offend you when you find it. That is like wiretapping someones phone to listen for sexist jokes.

IMO, while it might be legitimate and legal to search people's email, it should only be done if there is some reason to suspect them.

Sexual Harassment

Privacy issues apart, many companies have gotten sued because someone found the pornography offensive and considered it sexual harassment. This has happened at my company before. Regardless of your beliefs, if a company allows pornography they make themselves liable to these lawsuits. This is in addition to the fact that the computers, the network, and the bandwidth are paid for by the company and they have the legal weight behind them most often.

Re: Hentai, Japanese child porn

Interestingly, that anime porn is tolerated by the general populace. In fact, pornography as we see it in our judeo-christian society has a much different view in Japan. But, in the scope of this arguement about a sysadmin going through log files, I don't have enough experience at Japanese companies to know what would be done...although I do know that one of the companies I worked at (in Tokyo), pornography on company computers was tolerated.

checklist before you start

1. Get a written policy (I bet they don't have one yet). Make sure you get this before doing anything). Insist this policy is published to everyone in the whole company before starting. This policy must make the consequences of abuse clear to everyone.

2. Don't do it yourself; you're a tech guy, not big brother. Provide a mechanism for others to do it. Ripe for blackmail / privacy abuse but at least you're not involved.

Scan their mail

This is a no brainer: everyone agreed when they signed up to work at your company that "their" mail in fact belonged to the company. Legally speaking, privacy doesn't even qualify as a tangential issue here as all resources are owned and regulated by the company.
If you don't like the idea of a luser getting fired because of their porno, it's best to turn in your BOFH license now and bow out while there's still some chance. ;)
Seriously though, porno hunts aren't really worth sysadmins' time as anyone with a little technical knowledge can easily evade all by the most paranoid and control-freaking systems. Detailing all the evasion techniques would be a bad idea as HR would just get into a tizzy about it, but making the notion clear that there's limited utility in scanning might persuade them otherwise.

Feral BOFH

Re:Scan their mail

Privacy is definately still an issue. Users may not have the legal/contractual *right* to privacy, but I believe that common decency dictates that you shouldn't push into other peoples business without reason.

In any case, just another good reason to encrypt all communication.

When will people learn that there is more to right and wrong that the law...?

Re:Scan their mail

[D'Arque+Bishop]

Privacy is definately still an issue. Users may not have the legal/contractual *right* to privacy, but I believe that common decency dictates that you shouldn't push into other peoples business without reason.
I believe earlier posts stated the reason quite clearly: downloading porn on company time is a no-no. You're supposed to be working, not looking at pics. :) Again, just my $.02...

Re:why must everything have a glib response?

At my company there was an attempt by an overzealous manager to keep software developers from abusing company resources (Q3 after work). It was politely (okay, maybe not so politely) pointed out that asking valuable employees to work long hours would then likely be viewed as abuse of company resources, and would also stop. Haven't heard anything about it since. ----- We have enough youth. We need a fountain of smart.

Has your company defined what porn is?

like the subject line says.. what is "porn"?

Re:what I got away with at IBM

These people should consider themselves lucky. Everything I've heard about IBM outside of the research facilities is completely evil. It doesn't sound like they've changed much since they all were required to wear socks pulled up to their knees. IBM has some very sick culture behind it, and I'd encourage anyone to leave for a much healthier one (they do exist, and aren't all that uncommon in the computer industry). On this issue I strongly agree with the poster who commented (to paraphrase) that while actions like monitoring email and treating employees like children is legal, it doesn't mean you should do it! It's sad that some companies just don't seem to understand that they create their own culture, and the good employees will just leave if they feel they're not being treated well.

Re:within their rights..

this company is within every right to read their employees email. it is THEIR company, not yours. if you don't like it, you don't have to work there.

yeah, and it's their company, not yours, so if they want to take their pants off, stand on your desk and piss on your inbox, it's within their right because it's their company, not yours!

Re:Corporate vs Individual Rights

A good point that "free speech" or "freedom" in general is overused as a license for self-indulgent, offensive or harmful behavior-and not just on the net. The deeper question is what restrictions are we willing to accept to create a society that has both freedom and a degree of security for its' members? MNM, we WILL have restrictions, but what and to what degree? Most reasonable people agree that claiming "offense" as a harm worth restricting everyones' freedom is a poor idea that has already been too widely implemented. I would argue that restrictions on smoking based on biased, cooked, and just-plain-fraudulent studies has also gone too far. That may be an arguable grey area, and there are many others. Sometimes it seems that Balkanization of society into groups whose behaviour is homogenous is the only solution, but knowing human nature, I suspect that the only perfect solution is atomization into 6 billion "kingdoms"... Personally, I just ignore rules and laws that I disagree with or find inconvenient, and insist that everyone else follow all the rules... Brad Gregory "In order for us to have a peaceful and prosperous society, it is necessary for everyone else to obey the law." BJG

Re:Are we moral sensors now?

I believe it was Samuel Clemens who said, "There are Lies, Damn Lies, and statistics".
What's worse is your (and others) mis-use of the valuable tool of statistics. There is no correlation between sexual material and sexual crime, other than sick people often abuse sexual material, just as they abuse others. Also there is a vastly larger group of people who view sexual material and never "act out" what they see or fantasize. I was sexually abused (one more needle in your bag of hot air), and am not an abuser. Also you should evaluate your definitions of abuse... I consentual relations between a 14yr male and a 19yr female abuse? How about the reverse. Perverse? In my opionion the vast bulk of abuse and continued abuse in the US, is directly attributable to our perverse attitude of repression of all things sexual, especially if that sexuality is tied to love....
Take the time to open the issue up, and tie it to love instead of hiding it and making it dirty, and forbidden and I guarentee sexual abuse would be in the single percents within half a century.

Just say no

Having worked for a law firm for about a year, I'd ask your HR department to get a written statement from either a) Head Legal Counsel for your company or b) the outside legal counsel for your company. Otherwise, I would say no. Whether or not you have statements that say that the email is the property of your company, I believe that you will be ripe for lawsuits if you use the information used.

I filter email - it's a problematic process.

I am a sysadmin who filters e-mail content (as requested by management) for a 210 user local government system. It's an extremely problematic process. We use Content Policy Software which basically checks all incoming and outgoing email for certain characteristics such as keywords or document types (eg. AVI, GIF). A "moderator" looks at the e-mail identified by the software and checks the content before rejecting or accepting the email. This is to try and limit incorrectly blocked e-mail. You can try to do it automatically but it doesn't work - you block to many legitimate messages or have to not use keywords/file types resulting in e-mail getting through. Also, you have to tell staff that just because something gets through the system, it doesn't mean it's ok. There needs to be a lot of supporting policy and protection of staff from problems arising out of incoming email that is not their fault. I think that banning personal use at work would be a lot simpler and provide greater protection for staff.

Why stop at e-mail

While the company may have a legal right to do this, I find it very disturbing that Internet communication at work is being restricted solely on content, rather than cost of bandwidth or employee time wasted. Why stop at e-mail? Why not eavesdrop on all telephone calls to make sure pornographic material isn't being discussed? You say a four letter word, the call is trerminated & you are summoned into HR for punishement. Companies have traditionally restricted phone use based on time and cost considerations -- not on what's being discussed. A company has the right to determine how you use its resources - but not what you can think about. If wasting company resources is an issue, you should have a rule against all non-work web surfing, regardless of content.

Re: Hotmail does not guarantee privacy

Use MailAndNews.com, they provide SSL connections (for web based, POP3, and IMAP mail). A problem like Hotmail's could still happen, but at least it prevents sniffing.

alternatives to scanning

I'm a sysadmin at a fairly large corp that is always in the media. This is an issue that gets brought up alot for fear of bad press. My answer is not to find out who the perpetrators are, but to stop it from happening. C'mon, we're sysadmin we can do anything! Firewalling is the best bet. Stop it from even getting there. There are many ways for pron to make it to your computer: Mailing lists, revenge from other users to users that leave machines logged on. This way privacy won't have to be infringed but freedom will be. ;) .

Snail Mail

Sod it, if you cant abuse the corporate email system, then just write snail mail to yer mates and abuse the companys' letter franking machine :)

Re:Are we moral sensors now?

Well, I don't have statistics on all sexual offenses, but I can give you them on rape. 91% of rapes are male to female 8% are male to male 0.8% are female to female 0.2% are female to male Ok, so 99% of rapes, the offender is male. I think this qualifies as more than "a large slice". Its virtually all of them I think 99% qualifies the use of the pronoun "his". Just my 2 cents. - Rei

A good BOFH already does this regularly

Always keep a good pile of blackmail material ready. You never know when it'll come in handy.

You're a loser

You have much more important problems. You're an adult and you don't know how to spell the word "losing." Get a grip, moron.

Big Brother

is alive and well, and this is an indication of it. and its not just the government. Big business has gotten away with suspending the constitution. Freedom? ya freedom, my ass....

Re:Big brother

[mindstrm]

But the point isn't that they are *always* watching, it's that they *might* be watching, and they *might* find out, and fire you.
If they say 'As a condition of your working here, you will not look at porn on our servers, under penalty of dismissal' then you shouldn't look at it, whether they monitor or not.

Re:Big Brother

[Rombuu]

Yawn.

Civics 101... The rights enumerated in the Constitution have to do with what the federal (later extended to state) government can and can't do to you. Citizens and Businesses do not apply under the constitution.

simple...

put a message in motd ( I AM GOING TO SCAN MAIL ON DATE ), send a mail to all the users with the acceptable use policy and advise them that their mail is going to be SCANNED ON . This will pretty much remove any chance of any porn being found on that date and you can tell HR that you scanned for it. :) BTW, this is also the same bullshit that i go thru every month and i make damn sure no one gets caught, but the scan is performed.

Hasn't anyone heard of the ECPA?

That's the Electronic Communications Privacy Act. (I'm assuming a US Company here). According to this, basically you have a right to private email UNLESS your company has an explicit policy otherwise (GROSSLY simplified...) Check it out and other great privacy resources at EPIC's Website. No one in this whole discussion appears to be a legal expert (I'm certainly not one!!) so I would advise the original person to consult one. The issue isn't whether one is downloading porn (though that's the company's hot button), but whether OTHER stuff -- extramarital affairs, HIV status, whether you like plain or crunchy -- will be uncovered that doesn't need to be.

Re:Are we moral sensors now? - statistics

I get my statistics from the US Department of Justice 1997 press release on sexual assault. How about you? (statistics given in my previous note) - Rei

Re:privacy advocacy

You're an idiot. The label Anonymous Coward is intended humorously.

Wow! My first flame... feel free to reply with comments regarding my spelling, grammer, intelligence etc.

Re:You don't have the privacy right (nor should yo

traditionally it's "conquered," rather than "overcame," although overcame is a completely correct translation

There's already a law against this..

According to the Electronic Communications Privacy Act of 1986, the network provider must notify the users BEFORE they use the system, that the network is not secure and that any data transmitted on it can (and will) be reviewed by parties other than the sender and recipient.

In Law Firms, this kind of network monitoring may violate attorney/client priviledge and is not tolerated (let alone mandated).

Re:Scan HR's mailboxes

Make sure you spend a lot of time looking at the suit's mailboxes and home directories. If you find _ANYTHING_ at all, no matter how inoffensive, like something out of a fashion mag, send it to HR and make a big stink about it. Let the dog come home to bite them.

More details needed

To properly address this question more information would be helpful. This question has several answers depending on what your companies email policies and requirements are.

I dont think this is worth quitting over, although if you were looking to be fired it is a rather noble way to do it.

You could just ban all attatchments, force everyone to use text only, this would help block viruses, but is not practical if you work for a graphic design company.

You could limit the size of attatchments, this would at least minimise the waste of time/bandwidth.

If your company provides internet access then this will just mean employees will start using Hotmail for privacy (Ha, poor ignorant fools).

If they have already stated that mail is not private and is explicitly (pun intended) for work only. Give due warning and watch the flurry of people deleting then start random checks. (Lets not forget, you are trying to save time and money not waste more, so exhaustive checking seems impractical).

Get them to define porn (Playboy or Penetration?). Banning Porn can be achieved indirectly by clear policy as mentioned above.

Although it is annoying I feel free access provided by the employer is compensation for it not being totally private.

In the long run it may be worth clamping down on the pornmongers so to let people such as myself get away with hours on Slashdot and software downloads I would rather not make on my home machine.
Anonymous Muppet

Re:What you should be looking for...

I have done work for a company where we did scan users browsing patterns. We found some people browsing porn for 4 hours a day. We also found people that just excessivly browsed with no real goals. Monitoring can be helpful if done right. Once a floor of people find out someone got fired for improper net use your job is mostly done.

The First of Five Essentials for Victory

There is no resonable expectation of privacy in the workplace, outside of the bathroom. Therefore, since it's company owned, the computers are the company's property and it is perfectly acceptable (hell, damn near expected) that such procedures will be taken from time to time. Suggest you do the scan, and report the findings. Worst case, THIS Dumbass has been downloading porn at work, never a wise career move. You not doing this would be an even worse career move. Don't belive all the privacy freeks. It's a nice ideal to shoot for, but the law will find in favor of the workplace. This is not where you need to start a grass roots campain for privacy. Write ACLU a check, join EFF, do the scan, and sleep easy. --- Excerpts from Sun Tzu's "The Art of War." The Five Essentials for Victory (#1) He will win who knows when to fight and when not to fight.

Re:If it were me...

Out of all the replies so far, this one makes the most sense. Every company has it's share of witch hunts and sometimes innocent people are kicked to the curb.

I agree with sending out the email since there are always new or stupid users. Though the person/people that should initiate the scan is the security adminstrator, not a sysadmin.

However, in the suggestions section, it shouldn't be your call, it should be management/Human Resourceless.

And now a word from our sponsors... I loathe almost all of the overpaid scum sucking leeches in our corporation--HR people. If there was a way to implicate one of them in this, great. The world would be better off with 1 less HR person.

Oh, let me know what you find as I'm into the kinky Asain stuff. heh heh heh...

Re:You don't have the privacy right (nor should yo

um, in this context, it's a sex and witness joke. it's a julius ceaser quote

Interesting case

There was a case about a year ago in which the dean (?) of one of the Ivy League divinity schools was fired after porn was found on his machine. The catch was, the machine was at his house and was provided for his (personal?) use as part of his employment agreement. A university technician found the material when the machine was serviced. Comments?

Re:write a script...

Actually, writing a script seems like a fairly good compromise. If the sysadmin's goal is to avoid violating the privacy of innocent users of the corporate network, a script which only reports violations seems like a valid solution. But I don't think I recommend making the script available from the intranet and giving the manager a magic web button to invoke it...

Oh, and as with all monitoring of net information, beware of false positives. You can't assume a piece of email is pornographic just because (say) it contains a gratuitous use of the word "penis".

I work at witchunt.gov

I work for a school district somewhere in the Nevada desert. We're in "witchhunt" status a lot of the time. While I value personal privacy, the people at work and I are public employees on public time on public machines. I feel that the executives of private companies have the same rights, they're paying the employees for their time, so be it. If you don't like it, quit. One thing that completely blows my mind, is that my workplace is full of rumors and paranoia, yet people STILL look at porn at work. We're constantly finding complete morons who continue looking at porn at work, thinking "i wont get caught". Above that, a significant amount of people caught were looking at "teen porn". We, at work call these people "Anti-darwinists". At work, you're on other people's time, do what you're supposed to, and if you don't and get caught, don't whine. If you morally object to it, quit (I wonder why you'd morally object to it, also)

Re:write a script...

I do not see how a script can check the contents of a graphics file for pornagraphic content. I did not think text porn was a big problem.

Maybe Perl is cleverer than I, and has a clear definition of what Pornograph is, I have seen some pretty sick things proclaimed as art and the likes of Playboy denounced as the work of Satan himself.

email smut

My company went on a tirade a while back about this. I complied fully and usally wind up
tormenting offenders for a while. I dont want
them getting sued, dont want a customer seeing
it on someone's screen, and besides, if you're
there to work, you're there to work and while
you're on their property, you do what they ask
or you leave. It took about two weeks to wipe
it out completely out of the company email system and I havent had to mess with it since.

We did the same thing with the web proxy. People
spent too much time looking at non work related
stuff on the clock and we went through and
started blocking stuff right and left.

people that constantly abuse things get the rest of the people in trouble. A few people at our company made the rest not be able to read the news during lunch hour, whatever. I have no problem torturing people that use the mail system for that sort of thing.

We archive logs off on cdrom for permanent storage as well.

Excuse me while i go grab the asbestos BVDs...

WARNING!!!!! THERE ARE LEGAL RISKS FOR YOURSELF!

Warning, there are potentially serious legal risks associated with this for the sys admin asked to do this.

I saw a paper (SAGE?/ USENIX?) on the libaility you expose yourself to if you blindly do this on managements request.

At the very least you should refuse to do it without a **signed** letter/memo from someone at least several levels about YOUR boss for each time you are asked to do this. And you should keep a copy at home in your personal records.

Don't forget if you do this you instantly become a target of any criminal or civil investigation including all of your records can be gone through, you will be asked to testifiy (since you first discovered said info) etc..

Its a very dangerous path to go down.

what I got away with at IBM

well, not all of IBM monitors very well. I got away with IRC, porn, phonesex, and just about anything other than working. of course, for $8 an hour, I don't really feel bad. Anonymous for a reason

Re:what I got away with at IBM

[Mawbid]

Faster, faster, faster 'till the thrill of speed overcomes the fear of death. If you know the origin of this quote (please say it's not that sci-fi novel) emai

This is unbelievabe! Just five minutes ago I read this on rec.bicycle.misc:

Makes me think of my favorite quote from Hunter Thompson -- "Faster, ever faster, until the thrill of speed blots out the fear of death..."
--

Re:what I got away with at IBM

[slpalmer]

I worked for Dell (Telephone tech support- years ago), and was fired for reading *work-related* newsgroups while taking support calls. My manager, was of military background, and not technicaly oriented. I appealed, but higher management backed him.
---
Stephen L. Palmer
http://midearth.org
Just another BOFH.

Re:what I got away with at IBM

[eht]

Recentlty at the IBM i work at (endicott) 3 people got fired for just wasting time on the net, no porn, 1 was playing links the golf game with some guy halfway across the country, another had brought in a cdr and started burning roms, not even of pirated stuff, just downloading freeware and shareware and stuff, can't remember the third, all canned, no pension (not that it's very good anymore) no benefits, just get to go home and tell the family you got fired for nothing illegal, and these were tech and engineer people, not the 8$ an hour slobs (me) not anonymous eht

Re:what I got away with at IBM

[FatSean]

8 Bucks? What were you, the janitor? Christ I got twice that co-oping as a college student.

Re:Get the hell over it

wow, I'm so glad you can support privacy law by calling it dead. Some people (like you) don't deserve the rights they have. If you willingly give up your rights for privacy or safety you should be kicked in the ass.

I had the same issue with WWW logs.

At one point the HR director wanted a report about WEB usage. I suggested that in meantime we send out a "accaptable use policy" email to let people know that we didn't approve of frequent visists to VoyeurDorm.com. They were very opposed to this. They we much more interested in having dirt on a few people than creating a healthy work environment. I wonder are any other organizations out there like this.

PS I'd quit but we have a HUGE IT budget. So big we can actually afford the Unices that are good enough to cost money, like Solaris. :)

Re:IF then only outgoing

This comment highlights the importance of caution in the use of any results.
Others who suggested you sign the HR people to porn mailing list goes to show that Porn you find will not necessarly have been by choice of the user.
You should give fair warning, you can always claim you found stuff during a routine virus scan or while doing similar maintainace work.
I dont believe in Privacy (or vegetarianism strange cult that it is). It is a nice idea but in this day and age i am Paranoid and strongly question that we actually have privacy anymore.

privacy on corporate nets

ok. I work in in a noc dealing with a _very_ large network with similar "no porn" rules, and we have have had to do exactly as you are being ask to. some things you must make clear to the dept requesting these scans is that ppl must be caught 'red handed'. real time sniffer traces and acl logs on the firewall must concur with what is found on the users hard-drive along with eye-witness type accounts. a nudie jpeg that is simply sitting in someones in-box (unread) does'nt cut it. now if the user in question is pulling these files off the net and sending them off to others via email, this is completely different. (keep in mind it's pretty easy to send email from someone elses acct, so that has to be taken into consideration) when I was @ at&t, a manager had fallen out of favor with some of the ppl in tech, and believe me, there was porn found like crazy in the guy's email, local hard drive, network drives and on floppies in/near his pc. your jobs as a competant (sp?) admin is to make it very clear to the unwashed masses in management of these types of things. and when it comes right down to it, if the company you work for needs to have someone digging through servers and sniffing the wire to find out who is looking at porn, they sure as hell have other more pressing security issues on that net to resolve!

WARNING!!!!! THERE ARE LEGAL RISKS FOR YOURSELF!

Warning, there are potentially serious legal risks associated with this for the sys admin asked to do this.

I saw a paper (SAGE?/ USENIX?) on the libaility you expose yourself to if you blindly do this on managements request.

At the very least you should refuse to do it without a **signed** letter/memo from someone at least several levels about YOUR boss for each time you are asked to do this. And you should keep a copy at home in your personal records.

Don't forget if you do this you instantly become a target of any criminal or civil investigation including all of your records can be gone through, you will be asked to testifiy (since you first discovered said info) etc..

Its a very dangerous path to go down.

CFO spankin

I run a small computer store in a small town. I was doing a bit of service on a machine from the local hospital (new drive), and while watching the files run by during the xcopy sesion, I saw a ton of bigtits.jpg, hotass.jpg, pussbanner.gif, etc, etc, from the cache dirs. I would say scan the mail of the people who started this witch hunt (or the people above them) and once you've got something on them, bring it up at the next meeting. Nothing quite like public disclosure of thier own kinks to kill the B.S.

Re:CFO spankin

forgot to mention it was the CFO's machine I was doing the service on.

follow the money

While I am a big proponent of individual freedom and liberty, the issue really boils down to money. Who owns the network? In a work environment the employer owns it and pays for it. They have a right to also expect (and require) that it be used for work stuff. Most employers are not draconian and let it slide, however, some are getting more strict and even going as far as looking for a few sacrificial lambs to kill over the "network usage policy" If I were the sys-admin in question I would a) ask to see the published "network usage policy" document and make sure what they are asking is in line with that policy. If all those ducks are in a row, I would then b) see if I could make a few enlightened suggestions, like picking out a few 'wrong-doers" and send them an advisory note to kind of "instill the fear of big brother in them - give them a warning..." of course all this depends on the organization - some might say "do this or we will fire you" At that point, a decision needs to be made - is that the kind of organization you want to work for?

Goes back to some of the first things I ask for when going to work for a company - Ask for a Network useage policy (email, web, etc.) and ask for a network security policy.

Robert Bogar (I lost my password)

Re:privacy advocacy

Companies may have no rights, but the people who own it do. Same effect. The people who own it have the right to monitor their property, or allow others to monitor it. The corporation is really a convenient way of dealing with the various owners, and is (for convenience) treated as a legal entity. The corporation (acting in behalf of the owners) has the right to empower employees (in this case, the HR department) to monitor it's property. Put simply: the owners are the corporation. They own the property owned by the corporation. They have the right to empower anyone to monitor it or whatever. And I really doubt the ACLU will disagree with that. As long as it isn't the government doing it, I doubt they will have a problem.

One User's Experience

And no, I'm not a clueless user. I actually help the IT guys out with troubleshooting, maintaining the Unix box (i.e. answering the question: What's cron??), and finding holes in the fire wall. From the other side of the equation, there are some pretty clueless sysadmins. Here is an e-mail I got today:

Your PC was either rebuilt last night, or will be soon, as part of the company wide exercise to ensure that only Y2K compliant programs and work related data reside on our computer systems.

So far so good, it was actually re-built last week.

During the rebuild process the user's U:\ drive is scanned to identify files that should likely not be located on the B****** system. These include files with extensions exe, com, zip, dll, ocx, mp3, avi, Mpeg, Mpe, Mov, Bmp, Jpg, Wav etc. Those found on your system are listed in the attachment.

u:\ is some network space allocated to each user for personal files

Please review the attached file list and then either (1) delete the files immediately or (2)if they are work related, get permission to keep them. Do not move any of these files to your C:\ drive.

Not that they would know. Their implementation of SMS is fscked.

All unapproved or non-Y2K-compliant software must be removed from the network drives. Failure to do so may compromise the B****** network.

Followed by a list of jpg's (Get your mind out of the gutter, they are my best friends wedding pictures.) OK, I'm no sysadmin, but how are jpg's a Y2K risk. Or a risk of any kind. No previous warning of searches, no evidence in the IT department policies that jpg's aren't allowed. I'm sure they think they are pr0n or something and are just using the Y2K purge as a lame excuse.

No wonder I'm working late updating my resume.

Anon Cow for obvious reasons.

Selling our souls for silver and gold

Why should I work for anal-retentive assholes who have nothing better to do than create a hostile work environment? Given the tight labor market, how can ANY employer justify firing an employee who goes to http://www.xxxxgirlzzz.com one day?

Far too many of us are willing to sell our souls for silver and gold. I will not work for an employer who views my personal life as his own by engaging in piss testing, EMAIL monitoring, etc. Sure, there's programmers who waste a couple of hours in their 15-hour days by playing Quake Arena. Gosh dog it, we got to get them to work the OTHER 9 hours a day! (said satirically to the sound of a cracking whip). But cracking down on the abusers at the expense of killing productivity due to poor morale is NOT the answer. I know that as a programmer, my first response would be to cut my hours down to 8 hours a day and start looking for a new job, even though I don't visit porn sites or receive porn in EMAIL.

Oh -- as a sysadmin I would start the scanning, but would also send EMAIL to everybody in the company warning them that Human Resources is requiring scanning and please contact Human Resources if you want further info, have problems with that, etc.. That way the geeks will know that they're being shat upon by the suits, rather than by their own.

-E

Re:Selling our souls for silver and gold

[coyote-san]

Why do you assume the problem was an isolated incident?

Some people spend a *lot* of time looking at non-work related sites. Glancing at CNN every couple hours is one thing (e.g., I'm sure many parents with children trapped within Columbine first learned of the situation from the web), spending hours poring over the Sports Illustrated or E-Trade sites is another. When productivity suffers, management has to pay attention.

Focusing on porn alone, it's one thing for an accidental porn redirection (e.g., "whitehouse" expanded to "www.whitehouse.com", a porn site) or deliberate viewing after hours and/or in a office with a closed door. It's another thing to leave the material up in plain sight during working hours.

We simply don't know enough about the original situation to evaluate whether it's a reasonable request. Was this a knee-jerk reaction from an HR employee who saw a bit of shock-TV on the _700 Club_? Was it a reaction to a substantial article in an HR journal? Was it a reaction to a formal complaint about sexual harassment due to a "hostile workplace environment?"

Kuell. That's what I did to my neighbor

because ... I craved his wife.

So I dumped a bunch of kiddie porn on his computer, and called the feds.

They also found plans to blow up a few federal buildings, so he went off to jail. I convinced his wife to marry me, and we live very happily now. She has lots of money.

;)

They should have known better

They should have known better when they had to piss in the jar to get the job. Any company so anal-retentive as to care what I do in my personal time is a company not worth selling my soul to for a fist full of dollars.

Judas Iscariot sold his soul for a handful of silver and gold and lived to regret it, and so shall we.

-E

What to look for?

So what do you look for?

If you look for just JPEGs then cartoon porn (dont look at me like that, you cant prove a thing) GIFs or some alternate format will slip through. The resourceful porn monkey will just use Tiff or Pcx or BMP (clunker that is will waste even more space) or any variaty of format [god forbid programmed code 0s and 1s]. More likely they will just simply Zip them and put a password on the lot. You will have to scan their whole userspace, the local Temp drive or try and break encryption and waste far more time than you could ever hope to save. If they are determined to abuse privalidges then you have not a hope of stopping them short of banning all attatchments, or all non work related content. Anonymous Muppet

Don't scan, and say you did.

[Apuleius]

Problem solved.

Re:Don't scan, and say you did.

Better yet, send some porn from an anon site to the pinhead who wants this scanning done. Then pick him out as one of the culprets and get him fired.

Re:Don't scan, and say you did.

[vapor2000]

I LOVE this! Do it!

Re:write a script...

You have got to be kidding! What happens to the guy who's wife emails him about the great time she is going to give him tonight and it ends up in some manager's (who happens to be very christian) email box? How will you feel when that manager takes it upon himself to cause as much trouble for the "Godless heathen" as possible?

Any "scan all email" approach is an invasion of privacy and is on slippery footing because the SENDERS are not and can not be notified in advance. Anyone who has given out their work email address so that freinds or relatives can contact them has then opened themselves up to having their email sent to whomever monitors it, and possibly being disiplined because of what someone else sent!

What happens when one employee sends a message to another employee that says, "I fucking hate manager X"? If the script trigers on fucking this non-sexual, work related email ends up in the "monitor's" email box. There is simply no way to write a script that will trigger ONLY on valid "Pornography".

Legally a company MAY have the right to look through employee's email boxes. Morality always depends on your point of view. It varies from place to place and time period to time period. What typically leads the way is the precidents that are set. In other words, whatever you do now will have profound effects on the future.

The thing to remember here is whatever happens will also apply to you, and do you want a "Private" email from your spouse, or significant other(s) being read by the "Monitor"??

As an email admin for a large company, I can tell you that if this issue came to me, I would refuse to cooperate in any way. If it came to the point where it was an order, or they were going to bring in someone else to do it, my resume would be in the hand of Headhunters and on job boards almost immediately. In today's job market, the employee has more leverage then normal. If enough people insist on privacy, corperate america will listen. The one thing I would do before sending out my resume would be sending an email to all the employees informing them that their email was going to be scanned.

I would caution you against saying that you had done it when you had not, or faking the results. These actions could end you personally on the end of a harassment lawsuit (because you covered it up), and make things much worse for the company in the event of a lawsuit (a conspiracy to allow harassment).


Here's some interesting questions to ask anyone requesting email/web scanning:

1. When are we going to start monitoring phone conversations and voice mail to make sure it is work related?
2. When are we going to start searching employee's as they enter the building to make sure they are not bringing in Porn or non-work related materials?
3. When are we going to install the microphones in all areas of the building to make sure no employees are flirting or having non-work related conversations?
4. When are we going to install the cameras in peoples offices to make sure they are only doing work?
5. When are we going to start neutering employee's so that they don't ever get arrosed?
6. When are we going to start monitoring employee's minds to make sure that they only think about work?

and maybe most importantly:

7. Who is the "MONITOR"?


Ben Johnson

Give the burden back to the Human Resources Dept.

I've seen some good suggestions here, warn users prior to scanning or even just telling managment 'No porn here' even if you haven't looked (should work great if they're clueless).

But how about this, ask HR 'What is porn?', and how can my scanning scripts identify it?

Searching email manually for a large corp is out of the question. And what do your scripts look for. Dirty words? How many dirty words constitues porn? One? A hundred? Ask for a list of dirty words. Ask them to read the mail that your script flags (you can even have your script flag alot of totally innocent mail just to give them more work to do). Ask them to view all the binaries. In short, you can find a lot of work and unanswered questions to hand back to HR. Let them shoulder the burden. Hopefully they'll sicken of it and find some other useless project to justify their existance.

not true for me (working at IBM)

Maybe it's because I work at IBM Germany, where trade unions are much stronger. I can't say they are restrictive here. It's the company policy to allow their employees to use the Web for private affairs -- as long as no one is exaggerating it.

I read WWW during work all the time; a co-worker of mine uses IRC several hours per day during work -- so far, nothing has happened.

(Porn, of course, is a different matter. Not only do you use company property for private affairs, but you are potentially damaging the company's prestige.)

My boss told me the other day that, if an employee gets fired for surfing or having private phone calls, this will probably not have been the only reason he got fired. Probably, this will be just the good, justifiable reason HR has been waiting for because they wanted to close down your department anyhow or whatever.

Priorities

The answer is probably: yes, they can snoop on email, yes they can force you to do it, and so you probably should. But I'd put it as a fifth priority, something like 1) making sure your computer works 2) making sure the network works 3) making sure other users' computers work 4) download porn yourself 5) check to see that other people aren't.

Re:Priorities

[treat]

The answer is probably: yes, they can snoop on email, yes they can force you to do it, and so
you probably should.

They can not force you to do it. You can refuse, threaten to quit, and carry out the threat to quit. If your convictions in this matter are not stronger than your love for the job, perhaps you have other options. You can email everybody with a warning a few days ahead of time. One generic enough that you probably won't get fired over it, but specific enough that people realize to be careful. Defend your actions with "I was just making everyone aware of company policy. Why is that wrong?"

Re: Hentai, Japanese child porn

Pretending that the expression of ideas does not have a causal relationship is IMHO, either naive or generally self-serving.

So if a movie (with live actors) shows a woman being raped or a child (real child actor) being graphically killed, this is allowed because it it not harmful to children. But drawing pedophillic scenes involving people who never even existed is somehow ok. I'm confused. Why is a ficticious portrayal of one crime againse a child acceptable to the public but not another, esp when the latter doesn't even involve children in any way.

I think the problem is that as CG and technology make fake child porn look more real. Cops raiding someone's stash will, sooner or later, be UNABLE to tell if a tape contains real child porn (illegal) or perfect, indistinguisably life-like CG child PORN (legal). Rather than having to worry about the diff, it's easier to just ban it all right, even if it does trample of freedeom of speech and of the press. In what way can free expression utilizing pencil and paper get me jailed? Up 'til now, the anyway the answer was not in any way. You DON'T see a dangerous slippery slope starting here?

Re:The law is irrelevant here (an old hands notes)

Having been root at two of the largest Internet providers in the world, I've had a good deal of experience with being big brother. Although I have not been put in position the orignal poster is now in, I have formed, and suggest that all sys admins must form, an ethical schema with which to work by which would guide me in such a situation. In this case, I would let the company know that scanning others email for pornographic content violates my ethics and would request they put the task to someone else. If it appeared I would be fired for non-cooperation, I would move on. Although painfull in the short run, I'm damn sure hindsight would show I had made the correct decision. JowBuck is right on with this statement of a companies need to offer some level of privacy to an employee out of respect. Companies who respect their employess enough to not invade their electionic communications do exist! I currently work for such a company. I suggest that any of you who feel your ethics are being violated by your current employer move on to a place worthy of your talents. - Dumas

Go ahead and do it.

1. Get a list of all the people who support the porn-scan
2. Start scanning nightly for porn, and publish the results on the company-wide web site, and send mail to the president of the company, the legal department, and everybody else you can think of.
3. Subscribe everybody in the list from step 1 to as many porn mailing lists as possible, as well as the president, the legal department, etc.
4. Watch how quickly you're told to stop the scans.

Right? What right?

I value privacy as much as the next guy, but when did it become a "right" to download porn at work? If the company paid for the network equipment, computers, and the access, then they have the right to restrict their network as they see fit. How would you like people bogging down a network YOU pay for. I stick to business related stuff at work (and reading slashdot :), and do the personal e-mails and stuff at home. Finkployd

Go read Beowulf,

OK, there is only so many lies one can see in one post before one has to reply.

Agreed.

In Elizabethan english,

Ah, here's the problem. Go back further to middle or old English.

there was both a familiar and a formal version of the second person singular pronoun. The familar version was "thou" or "thee" Thou as the subject of a sentence: "thou hast a chicken on thy head", and thee as the object: "I despise thee." Neither of these words were every written with a thorn.

Wrong. Check out this university explanation of the thorn and see it used in 'the' and 'thou'. Or go read Beowulf in the original Old English. Besices the thorn English once used the eth (The unvoiced 'th' sound line in 'thought'), the asc or ash (the joined ae ligature still occasionally seen [today!] in words like encyclopaedia.), and the yogh (resembling a descended 3 with a flat top). People have such static concepts of the English alphabet and think if never changed. Heck, J and V and W are all fairly NEW additiona to the alphabet. Since ae is still used today, how many letters does the English alphabet really have again?

Re:Go read Beowulf,

[Eleniel]

this is *way* off topic, but here goes.

I visted the web site you mentioned. At the bottom of the page it says:

--quote
The other ``ye,'' the plural of thou, has a separate, less exotic etymology. The word ``you'' is not a misreading of ``thou.''
--end quote

However, you are right, thee and thou were spelt with thorns in the past - i stand corrected on that point. Guess it must just be me who didn't detect the voiced nature of the "th"s in those words.

I am well aware that the english alphabet has changed much over time, but it is a point worth making.

One day I'll read Beowulf - when I have time

Scan, but give fair warning

Probably the best way to keep your integrity & your job is to give everyone fair warning that you are being required to scan the network for pornography before doing it. People will clean their dirty laundry & your company will have a porn-free network. (And anybody who gets caught after such a warning is such a moron that they deserve it.)

If your managers have told you to do the scan secretly, because they are on a power-trip & want to "catch" as many of their employees as they can, then I'd probably follow the advice of some of the other posters & falsify the results (no porn found sir!) & start looking for a job at another company with more rational people in charge.

Re:If privacy is explicitly NOT given...

Aye I agree it's perfectly logical from a legal standpoint. But we are human beings and have certain beliefs, which we hold on to rather strongly(depending on our character). The decision to allow email porn(or not) is another belief(most likely the tip of the iceberg regarding employee privacy). The company is trying to force it's puritan beliefs down the throats of it's employees. Scanning for email pr0n is anal suspicion that their puritan values are not being respected by the employees. As long as the work gets done, I say they should keep the fuck out of peoples business. There's a fine line between "enforcing comany policy" and trying to own someones soul. And if your comapany is like most, ownership of the employees souls is nearly a complete process anyway. The pr0n and other "issues" are simply small outbursts of freedom companies feel compelled to crush so the soul ownership can be complete. I say pretend to go along with the policy for as long as you can and be looking for a new job in the meantime. I sense a bad case of hostile management out there. The only way we can cure them is by leaving them.

IMPORTANT

As a sysadmin you have the power to read the emails of your users in order to solve e-mail problems (routing, attachments, size, etc...).

You cannot use this information to "prosecute"/fire/kill/etc your users *UNLESS* you have directly given to them a warning that the emails are monitored, i.e. in the MOTD of the mail server if they have shell accounts, or a company memo sent to everyone on paper (not on email, natch), or even better: a signed letter back from each user.

Ask the company lawyer about this. At the very worst it will delay your scan when you tell your boss "There are some legal issues, so I am checking with the company lawyer". With any luck, you will be told to forget about it.

Q-Bert

Re:IMPORTANT

[sterno]

Actually, this is not true. Established legal precendents have shown that company e-mail, file servers, bandwidth are company property and can be done with as they see fit. There is no guarantee of privacy whatsoever and they are not required to state any policy on the issue.

My feeling is that persecuting people who browse porn is ridiculous. There are a few reasonable related concerns:

1) That people will be browsing porn instead of doing work.
2) That people will suck up network/system resources to browse porn.

So, if these are truely their concerns they should be scanning for excessive use of system resources, not porn specifically.

I think corporations who establish policies like this are just creating a totally pointless conflict between them and their employees.

---

Re: Hentai, Japanese child porn

Who gets hurt when an artist creates pornography? The same kind of people who get hurt when someone yells "Fire" in a theater, or when someone creates hate literature calling for genocide and racial/ethnical cleansing. Madison Avenue makes billions every year because literature, art and media cause behavioral changes. Pretending that the expression of ideas does not have a causal relationship is IMHO, either naive or generally self-serving. The courts in the United States have made corporations legally responsible for the "free expression" of their employees when the employees are using company resources or on company property. Free expression doesn't mean you have the right morally, ethically or legally to use someone else's resources to create or distribute that expression.

Re:What you should be looking for...

I've had to do this at my shop, too. It's distasteful, but once we fired a couple of people, usage on the email box plummeted and it was much easier to keep the darn thing running...

I find that scanning the manager requesting the scans, and including that in the report, and sending a copy to the IS director (as justification for all that scanning time) is effective in cutting the volume and frequency of requests :-). If you suggest that to your IS managemnt, they might take you up on it (as a cost control measure, of course).

Also, suggest to HR that they should be more interested in private business deals, stock trading, coupon trading, pyramid schemes and so on. Non-business use of email is hardly ever about porn, in my experience, since most of the porn is more easily available through HTTP. Most of the sexy hits I found were spams, and we don't prosecute for mail received, unless we can show that it was solicited...

Re:Are we moral sensors now?

This isn't about censorship. It is about the rights of property owners. At the office, the company owns the computers, the hard drives, the network, and the internet connection. An owner should be allowed to make the rules about how his/her property is used by his employees. Don't like the rules, exercise your God given right to tell the owners "Take this job and shove it" otherwise you agreed to the pay scale and policies when you agreed to take the job.

Ethics codes from professional organisations

You may find it useful to look at this URL: SAGE Code of Ethics - a framework code of ethics put out by the System Administtrator's Guild. SAGE is part of USENIX, and both are well worth joining. Being able to back up your stance with a code of practice from a professional organisation is useful. Also, at least one book discusses this: "Practical Computer Ethics" by Duncan Langford.

Personally, as a sysadmin, I would not scan everyone's mail for porn, or religion, or anything without ensuring everyone knew it would be done. The trust of all your users in you rests in two things: "I could read you mail but I don't" and "If I do happen to see your mail, like when you have problems reading it, I do _not_ tell anyone else what's in it". Once you lose it, it's gone forever. If your users know what's going on, they can't consider it as you abusing your authority without them knowing. And if they know the company is doing something that just doesn't work, isn't fair, and basing the treatment of employees on it, they might well vote with their feet.

It's practically impossible to scan for porn, or religion, or Monty Python references, or anything else complex. Your company's policy is deeply flawed if they think it is, and it's up to you as a professional person to educate them about what is and is not possible. For example, ask them to define 'porn' in such a way that a machine can scan for it. Then ask them to define, say, "company sensitive information" and similar things.

IMHO - good luck settling this to everyone's satisfaction.

Nicolai

Re:why must everything have a glib response?

I kept thinking "What does this have to do with glib? And shouldn't that be glib2.1?"

I need to get out more...

Scan for the BIG files (grin)

[Mark+Edwards]

Gee, all you really have to do is scan for 25 megabyte files... Oh, waitaminute - that's a two word attachment in Word for windows. Uh... never mind.

Mark Edwards
Proof of Sanity Forged Upon Request

Re: Crypto in France

[abischof]

> (encryption is banned)

Though that used to be the case, France has recently loosened its crypto restrictions. IIRC, they now allow up to 128 bit private key crypto.

Alex Bischoff
---

Jesus... you still work there?

[Wakko+Warner]

The computer industry is full of job openings. Look around. I wouldn't wanna be working for a greasy bastard like that.

As for losing trust for every employer -- don't. There are plenty of decent people out there who know how to treat other human beings in such a way that they are both respectful of and productive for them. (Hint: It involves treating them as human beings.)

- A.P.
--

"One World, one Web, one Program" - Microsoft promotional ad

Here's an idea...

[farrellj]

Go ahead and "find" porn..in the VP of Human Resources mailbox. Make sure it comes from an outside source...and then see how quickly the Witch-hunt dies.

It has worked elsewhere...

ttyl
Farrell

Re:Don't do it - I wouldn't.

[gavinhall]

Posted by polar_bear:

You are a person of conviction and honor - I respect that. Too damn bad you're likely to be jobless with those qualities. Speaking out about or refusing to enforce company policy is a very fast way to find yourself out of a job - I know. I got fired once for loudly protesting a random drug testing policy. I'd do it again, but this time I'd have more $ in the bank before I did it... Zonker

Re:privacy advocacy

[mds]

privacy is an illusion and, clearly, you are hallucinating.

please, share whatever it is that you're on -- i haven't been that out of touch since they last cracked RSA . . .

Re:What you should be looking for...

[On+Lawn]

No one said it was a productivity issue. Try a sexual harrasment issue, remember pornagraphy in the work place is a public offence even if it isn't public. I think that might be more the legal issue described above.
^~~^~^^~~^~^~^~^^~^^~^~^~~^^^~^^~~^~~~^~~^ ~

Yes, but would you work at a such a company?

[jonr]

...

Isn't about privacy.

[Nelson]

This has been to court before. It's not your's, then you don't have privacy or the expectation of it. Most employers will state that. In some rare circumstance you might be able to pull something off (like they find out that you are homosexual from an email and then fire you, if they never told you that the email might be monitored. Even then I wouldn't bet on it.)

You've got to be kidding if you think this is an invasion of privacy. When you started working there they told you about using corporate equipment for things. There is a degree of trust and respect, you call your wife from work and talk to her about dinner or weekend plans. You send emails to your friends from time to time. Porn is a perfectly reasonable place to draw that line, it can be sexual harassment, and it can invade the privacy of people who accidentally see it.

The alternative is to start your own company, buy your own hardware, hire your own people and the let them do whatever they want. And then deal with the work place harassment suit when a female employee sues you. We're talking about the bottom level of professionalism here, we're not talking about peering into people's private lives. If you want to view porn then do it privately, not in your place of business.

Re:Isn't about privacy.

[Mr+T]

The workplace is held in hire esteem by the American justice system than your public life. It's one thing to go and seek out a hotmail or ICQ account and use it, there are plenty of alternatives. Work is work and you don't have to work in a hostile environment. The two aren't the same.

You could probably try to sue though, and you could potentially win depending on what the user agreement says.

Re:Isn't about privacy.

[reman]

You know what I find funny, most of the guys I work with would never do the porn thing at work, however I have seen more than one female colleague with naked men as their desktop background (until I pointed how unamused I was and the trouble they would get into) and looking through porn that was sent via email.

I think the tide has turned where men were the main offenders here with their 'girly' posters. I dunno perhaps it goes on elsewhere but I work in a large financial institution so I think thats mainstream enough.

reman

Re:Isn't about privacy.

[Kintanon]

. Porn is a perfectly reasonable place to draw that line, it can be sexual harassment, and it can invade the privacy of people who accidentally see it.

So does this mean I can call my lawyers and start sewing the makers of ICQ because some idiot keeps sending me porn pages? Can I sue all of the porn sites that spam my hotmail account? They invaded my privacy right? They harassed me right?
Geez, what a bunch of bullshit....

Kintanon

Re:Human Rights

[jafac]

As a general rule of thumb, in America, if it interferes with the company making more money, it isn't permitted.

"The number of suckers born each minute doubles every 18 months."

At my job...

[SEGV]

At my job, my boss emails me links to the best Slashdot stories.

I guess that's the advantage of working at a cosy startup.

My thoughts.

[citmanual]

Ok, first of all. I have worked at several "tech" firms ranging from ISPs to programming houses. All small, same policies ("not on company time"). Although they didn't care what happened off company time. At one firm the boss loved to show off the hottest stuff off newsgroups.

Needless to say, the only filthy things that arrive via email tend to be ads for web sites. Thats all I get and I get WAY too much of it. I would think that those scans would yield endless garbage.

I feel there is nothing wrong with doing this as long as everyone knows. At my father's firm (large construction firm, very conservative), all mail is opened and checked out by the president. When my parents went through a divorce, my dad would talk to the lawyer who was sending faxes 15 sec before he did to make sure he was the one who got it. To prevent office gossip. I find very little wrong with this. Work is work and just that.

Now, I read slashdot, salon, and a few other things every day from work. I take my break time and split it up.

I think that everyone should know about monitoring policies and should deal with it themselves. If you want a personal email, get an account somewhere else.

Re:You don't have the privacy right (nor should yo

[Evangelion]

"We Came, We Saw, We kicked some ass!"

Sorry, slipped into Bill Murray mode for a minute....

The legal shit...

[Jayson]

First off, IANAL. Now, here is what the law says.

This is still a gray area; no case has yet to reach the Supream Court (that I know of) that has provided us an answer. However, the Electronic Communications Privacy Act of 1986 does provide some context (Title 18 of USC, go look up the section for yourself, you can expect me to remeber everything. Chapter II of the ECPA adds to Title 18). And recent state and lower level decisions also give some level of protection to both the Company and the Person.

The ECPA deals mostly with government behavior and monitoring, but it does not exempt the Company from its regulations. There are two areas that are closely related to the Company-Person relationship: (1) where the provider of the comminication service is allowed to monitor the communication and (2) where the monitoring is done in the normal course of business.

The first issue allows the Company to monitor services that it provides. A phone is considered a "common carrier" and is thus protected, however a successful defense had been made in the case where the phone is an extension and the company owns the PBX. The same protection is granted to mail since it is carried by the USPS. However the Company is allowed to search voice mail. Email is also monitorable since it is a service provided by the company (however this obviously does not extend to the idea if you telnet out and read your email on a non-Company machine. The Company would be allowed to monitor your telnet session, but not your email. This is what we have ssh for ;). These guidelines do not apply in all cases. We will get to consent later on.

The second issue is rather broad. It provides a delineation between business and person communication and implies that business only communication may be monitored. It also provides a defense for excessive targeted monitoring. There has already been successful litigation of this type. (In California, I think) An employee sued his employer for monitoring his phone for 24 hours straight to determine if he was attempting a robbery.

Consent is a very important issue. "Implied consent" is not valid to allow communication monitoring. The courts have held a very hight standard for this. There is one clear case where the company provides an "expectation of privacy" and then violates this. An expectaion of privacy can be anything from explicitly saying that there will be no monitoring to not specifying a policy (yes, that means by default you have an expectation of privacy). The more blurred case, but still non-monitorable is when the Company say the the Employee may be monitored. This does not give consent for monitoring.

The bottom line for a company to be completely safe is to provide a clear policy stating that the person *will* be monitored. The company should not try to monitor what they do not own. The company should only monitor business related communication.

-jason

Re:Get the 'witch hunters' fired...

[Black+Jack+Hyde]

Empty vodka bottles in the HR luser's wastebasket and letting the office gossip 'accidentally' overhear your concern about seeing them there (s'why the hard-core alkys drink vodka, can't smell it on their breath...who'd a thought it) should help with this. BOFH suggested Nyquil, but it's easier to get your bartender friend to pass you a couple of empty bottles of Stoli.

One or two snail mail subscriptions to fetish mags delivered to the witch hunter at work should get the mailroom people talking too.

Jack
character assassin

Systems Admin's Code of Ethics

[backtick]

http://www.usenix.org/sage/publications/code_of_et hics.html

This is a wonderful example of an ethical code for Systems Admins. The third paragraph of Canon 1 is especially apt in this instance. It boils down to 'A sysadmin should follow the policies given by the company as law, but should attempt to properly see those laws changed when needed'. UNTIL the policies of the network are changed, the sysadmin should follow them, or explain in writing why s/he believes there may be an issue with the way they are to be carried out. Then, the Systems Admin must make a choice on whether to enforce the company policies until they are changed or refuse at the risk of his/her job. S/he should explain fully in writing the reasoning behind and state EXPLICITLY why and how s/he believe this violates his/her code of ethics, either personally or professionally. That way, if the systems admin does lose his/her position, at his/her next post that systems admin can reference this ethical conflict and back it up with a written statement.

Re:write a script...

[GrenDel+Fuego]

Seems logical that if you have email access, then you have icq access.

Not really. It's rather easy for a firewall to block ICQ. They did it at my old job. Although they never were able to completely block AIM (can choose a random port).

Although I do have to agree that SOME form of chat software would work a lot better. Of course encrypted e-mail, or at least offsite mail would be the best recourse. I personally ssh into my machine at home, and I can get my mail from there.

Re:Phone calls vs. E-mail

[evilandi]

Phone calls cannot be monitored because the phone line is considered a "common carrier" and thus not the property of the company.
Wrong!

In the EC within the last month, laws have been drafted to make it mandatory for companies over a certain size to provide unmonitored payphones in an area of privacy. All to do with a legal precident set by some office worker who claimed the company was acting unfairly by not allowing her to 'phone her doctor or something.

IMHO that's a good balance. You can't make personal calls on company extensions, but you do have access to unmonitored payphones in a booth.

It's only a matter of time before this also applies to email here in the EC. British Telecom are already trialling 2,000 email pay booths at train stations and post offices.

--

Legal issues...

[planet_hoth]

Some of you may scoff at the seriousness of porn in the workplace, but I don't think some of you realize the legal liability this poses in American companies. There are many people who would consider the person viewing porn in the cubicle next to them a form of sexual harrasment, and would gladly sue their employer for not putting and end to it. So not only does this cause lost productivity, but it's also a lawsuit waiting to happen.
It may not seem really ethical to search through *everyone's* email, looking for the few that abuse the system. But it's likely that your company is not using you in some twisted ultra right-wing Nazi sex hunt, but are just trying to cover their butts from the lawyers. I would help them out.

the full-frontal strategy, and the judo strategy

[judd]

(Minor point for any fellow New Zealanders - i read a legal opinion recently that said that inspecting employee email violated the Privacy Act, EVEN when the employer provides the email access.)

Strategy one.

Point out that it is impractical to scan encoded attachments, especially if they are images.

Point out that users have no control over incoming unsolicted email. Point out that "unsolicited" is tricky to define.

Point out that filtering on keywords is a doomed enterprise. You won't be getting any mail from Scunthorpe, for a start.

Point out that the resource required to implement monitoring could be better spent in improving the workplace in other ways.

Find out the goal. Is it to prevent people goofing off? Is it to forestall harassment lawsuits? Is it control your bandwidth consumption? In the first case, give people meaningful work to do. In the second, educate the legal people to understand how this is outside the effective control of the company. In the third, bill people for email based on your server logs.

Write a 50 page cost-benefit analysis.

Strategy two:

Agree. Tell them that you'll be happy to start as soon as you have a $FAVOURITE_MEGABUCK_SERVER_PLATFORM to cope with the expected server load. Aim high.

Make it too expensive

[chrome]

Tell them that they would need to hire another 4 sys-admin's to read every single mail and view every single website that is used just to track the users - don't use a technology solution at all, and make it very, very, expensive to snoop on the users.

I see a Catch-22 here

[Rustless+Walter]

How is one supposed to decide what is pornography without viewing it oneself? By viewing it, one immediately violates company policy or the law, and should (by that same policy) be dismissed.

It seems reasonable to this author that one can refuse, on the grounds that the company is expecting the sysadmin to view material that is either distasteful or illegal. No company can expect its employees to break the law to further company business.

It is too easy to get into casuistry, or specious arguments, here. There are legal definitions of what constitutes pornography, so the philosophical question "What is art?" may not apply here. But the corporation should be clear on where the boundaries of its rules and legal rules lie.

I'm not sure about the policy ...

[jim]

... but I LOVE the phrase "gentle fascist approach".

Re:Are we moral sensors now?

[indigoid]

Does the fact that he can't download any child porn off the net to jerk off to mean that your neighbor will molest your boy looking for his high?

his ? whats this his business? perhaps a large slice of sexual offenders are male, but NOT ALL.

BOFHly Fun

[Ravenwing]

Now, while I admit I've had my fun scanning user directories for images, we never actually do anything with them. The admins around here believed that we were like confessors or doctors - we knew what you were really doing, but it's our job to be discreet. It's part of my job to manage the disk space allocations around here and when a group is whining for more disk space while maintaining 400M of porn, well, I'd be remiss in not clearing up that situation. It's my job to know what is on my network and allocate those resources to the best of my ability. Games and porn on our network are not the best allocation of scarce resources, but they usually get ignored until some idiot forces us to step in and put the smackdown on them.

With the proper gifsniffer, you can have hours of amusement seeing how users hide these things. One guy had them all named *.o and *.c; looked like one big code release. Made the mistake leaving an index README file in there, since I didn't recognize the 'package' name and I was curious as to what code was worth him going over quota. I usually just point out to them that they are over quota and here are some directories that would be good candidates for deletion (or archiving to home) - you do it, or I will in two days.

We've had users waste my precious time asking for file restores on their porn. This usually results in the deletion of all their porn and a nasty note. We've also had a user clog to unusability an ISDN link to a remote office with porn. He got a serious spanking for that one, I believe.

Re:Why porn?

[Mawbid]

I was thinking about the first reason only. Reason 2 hadn't occurred to me (believe it or not, the women I know do not scream "sexual harassment!" at the drop of a hat (or bra)).

While I can certainly understand the management's fear of sexual harassment suits, let's ignore that for the moment and concentrate on the misuse of company time and resources. Again, I must ask: why single out pornography? Jokes, slashdot, warez, mp3's and a host of other material are not fundamentally different from pornography in any way that I'd consider relevant. Can you rightly consider ten minutes wasted on porn to be worse than ten minutes wasted on "tech support callers from hell"? I say you can't.

Your employers seem generous and reasonable people, but for them to want to decide what is and isn't ok for you to view based on their opinions rather diminishes the quality of their character in my eyes.
--

Why porn?

[Mawbid]

I can understand HR being upset about eployees wasting company time. What I can't quite grasp is why they care whether it's wasted on porn or on, say, poetry.
--

Re:Why porn?

[theonetruekeebler]

I can think of two reasons:

One, pornography is unambiguously not work-related. Not only are the network connection, LAN, server, PC, chair and desk company property, but so is the time you spend on the chair at the desk staring at the pc that's connected to the server....If they can prove you're wasting company resources, they can either fire you or treat you like crap for the rest of your tenure--and in modern America, option 2 is the preferred. There's nothing a company loves more than an employee they've got by the balls.

Two, liability. For reasons which have been used in successful lawsuits, other women's breasts always sexually harass all female employees if it can be proven that any male employee likes them. Liking breasts makes a man sexist, and having a sexist male cow-orker means you're being sexually harassed by him. Unless as an employer you are actively engaged in a campaign against tit-liking, you are a party to said harassment.

It has been argued, sometimes successfully, that simply receiving sexually explicit materials at work via e-mail in no way implies consent to have received said material. You can't say that just because someone received non-work-related e-mail, opened non-work-related e-mail, or even failed to delete non-work-related e-mail, that they've intentionally engaged in non-work-related activities at work. The smoking gun, from HR's perspective, is sending such material, or forwarding it.

Here's a true story: At my old job, I used to use the company's T-1 after hours and off the clock, for all sorts of surfing and farting around. Yes, a fair portion of it involved downloading reams of pornography. Since I was able to demonstrate that what I was doing in no way interfered with the normal operations of the business, and since I was not redistributing anything, my employer simply instructed me to cut it out. They could have fired or reprimanded me, and I willingly concede that they had every right to do so. Instead, we reached the casual agreement that I could continue to use the T-1 after hours and on my own time, so long as what I was doing was not objectionable to them. I cheerfully accepted this condition, as their letting me use their T-1 to do my personal stuff was a favor which they did not have to grant me.

--

Well, there better be

[Mawbid]

French law damn well better protect your mail, since you're not allowed to do it yourself (encryption is banned).
--

Monitor all of the executives' email.

[Tsarnon]

You should start monitoring the email of the executives' that want you to do this. You could probably find some juicy bits and blackmail them into letting you not monitor the email.

Re:Been there, but didn't do it--here's how.

[Dastardly]

This is a management issue, not a technical one. You are a technician, not a manager.

Actually this bring up a good point that wasn't mentioned. HR alone really does not have the authority to unilaterally and arbitrarily have the network scanned for porn if it hasn't been before. This sort of order should come from above HR, and be OK'd with legal, and all sort of other things before it even gets to the IT person. I get the feeling this hasn't happened, and HR is requesting without any authorization from the higher ups.

Legal / Moral problem.

[RattRigg]

There is no question about the legality of scanning the email accounts. The system belongs to the employer and they have the right to scan it.
The larger question here is the moral one. Should you violate the users privacy and possibly cost someone their job by implementing a policy you personally disagree with?
Personally Id suggest to HR an unofficial scan first with warnings to anyone identified. Then implement the policy officially. Failing that I'd walk.

Lying to employer is not good idea

[BJames]

...just do as you're told as far as "looking for porn" but if you find any, notify/warn the employees involved in a subtle manner while telling your employer that you didn't find anything...

This is crazed! A sysadmin is someone who has responsibility to see to it that her/his network is not being used in a manner that could lead to harrasment lawsuits, and the passing of pornography can do exactly that. And then to lie to the employer about it is asking for trouble, let alone tipping off the offender!

I'm a sysadmin, too. And yes, I've looked at a fair share of porn, some of which would be considered in extremely poor taste, perhaps, but never on company time and never on the company wire.

The company the writer works for has a right (in the US) to protect itself from litigation, and if that means preventing someone from collecting and transmitting porn over the company owned network, then it is incumbent on the sysadmin to assist in that defense. A well-written internet policy should be in place to protect the sysadmin as well as the company, and it should be clearly understood by the other employees that they can expect monitoring... and take their chances, if they violate the policy.

Who the hell?

[synaptic]

Who the hell sends porn through e-mail anyway? If they really want to catch abuse of company resources, scanning NNTP and HTTP access would be the place to look.

About the only thing you're going to find in people's mailboxes is a bunch of pornographic spam that they haven't deleted yet.

Re:The law is irrelevant here

[James+Manning]

Based on the zebra.net address, I'd say Alabama, which is very US (well, as long as you don't ask anyone on the wrong side of the Mason-Dixon :)

Policies vary, but know this:

[neo]

If you are snooping in on someone's e-mail without their knowledge, there could be serious backlash. Case law will probably follow the use of the telephone at the workplace as an example, and you can't listen to someone else's phone conversation without letting them know.

It's their e-mail, and it's their phone, but it's still your privacy.

neo

Policies vary, but know this:

[neo]

If you are snooping in on someone's e-mail without their knowledge, there could be serious backlash. Case law will probably follow the use of the telephone at the workplace as an example, and you can't listen to someone else's phone conversation without letting them know.

It's their e-mail, and it's their phone, but it's still your privacy. neo

Re:Are we moral sensors now?

[Tack]

I personally refuse to write "him/her" ever. Why? Because it restricts language.

More importantly, it is simply grammatically incorrect. Why butcher the English language for the sake of being politically correct?

Jason.

How do you 'scan email for porn' anyway?

[Bazman]

It sounds like you've just been issued with a blanket statement 'you must scan all email for porn'. Get them to clarify.

Do they mean 'scan all email for pornographic images'? That'll be hard. Ask them for a list of all filenames that are pornographic images. Or a list of key words that aren't allowed in file names. Then email someone a picture of the lovely English town of Scunthorpe.

I honestly dont see how its practical, without some sort of tool for recognising large amounts of flesh-tones in images. Maybe such a thing exists, but anyway, you go tell the suits you need more information. Write them a long memo.

Baz

Can you horny fuckers hold it for a few hours?

[The+Master+Magician]

The thing that I can't believe is that people when they are at work can't get by without checking porn!

I mean, jerk off or something in the morning and then at night. Cruise the porn from your home machine! Get some self-control! If you are that bored at work that you need to surf porn, maybe you should ask for more work? Or maybe find another job?

I'm totally serious with this one! I can't believe that people can't control themselves enough to not surf porn from work. Or that they feel the need to use company e-mail to send porn to all their buds!

Let's get real here. If you want to send porn e-mail from work, use a web based e-mail system or telnet to your home machine or something! If you want to browse porn and jerk off at your desk, well prepare to be fired, stupid!

I can understand if you are one of those programmers that works 15 hours and doesn't get home except to sleep. Hell, porn should be distributed by the company for those sorry SOB's, but for you 8-10 hour schmoes (including me) what is your excuse?!

For the guy that is the sysadmin, I say, if you have the policy in place, no porn at work. Then don't feel bad that these people are stupid enough to disobey the rules. It is your job to make sure that the system runs smoothly and according to the companies guidelines. It isn't like you are blindsiding any of these morons. Everyone knows you aren't supposed to be hitting porn at work.

As for all you free speech people, I think when you find the guy in the cube next to you jerking off to big busty babes on the monitor, you might figure out where the line is at that should not be crossed.

Just tell the users you have capability

[cah1]

Quite apart from the privacy issues and the amount of time it will take you to do the job (presumably your boss won't mind the systems going belly up in the meantime), there's an easier way.

Just tell the users that their mail is being scanned for porn and that the web logs are open to scrutiny. I would suggest that there are two types of users out there anyway: those that assume it's happening and those that had no clue it was possible.

We all know how easy it is to write a Perl script to sift through web histories or a network filestore or whatever and pick out potentially "interesting" items - but whether this happens is another matter. I know that our sys guys have far more important things to worry about, but I also know that if it's becomes an issue then it's simplicity itself to set something up.

In this situation it sounds like a few words to the latter type, the ones who have no idea that emails and web accesses can be traced and scanned and probed, a few words would work wonders.

Of course, if you were really sneaky, take a snapshot of current usage, make a few announcements and then take another snapshot ... you'd only need to check the ones with a large enough delta :)

time for me to vent

[cthonious]

they ask me to do this sometimes and I just tell them "it cannot be done" :-) (unless they spend $$$$$$$$$) They have no idea.

Of course I have squid installed and I happen to know quit a bit about what eveyone is doing, especially the managers. The one looking into spying on people (my idiot manager) is the one coming in 1 hour late every day and surfing his porn account for two hours every morning.

Of course he doesn't even know what perl is, and he makes twice as much as I do and his christmas bonus was $25,000. His job is IT and he does not know how to make a shortcut on his little windows desktop. Fucking assholes.

Re:time for me to vent

[Dwonis]

His job is IT and he does not know how to make a shortcut on his little windows desktop.

Hmmm... I haven't used that archaic application (OS? Come on, how much do you expect me to believe? Everyone knows it runs under DOS.) for so long that I seem to have forgotten too.
--------
"I already have all the latest software."

Re: SSL Connection?

[dav]

I've always wondered about this. If you have an SSL connection through a proxy, is the SSL connection really between the proxy and the server, as opposed to the client and the server? If the former, that would mean your HTTP traffic could still get sniffed at or before the proxy.

Re: Hotmail does not guarantee privacy

[dav]

Even besides yestreday's notorious security problem, Hot mail does not guarantee any privacy. Your webserver proxy can potentially monitor all traffic, including your HTTP POST data sent when you submit a form such as hotmail's (or yahoo's, etc) mail composition form.

You'll Love This.

[doomicon]

I mentioned this some months ago but it aplies to
this topic as well.

Our IM department was pushed hard by Security to witch hunt for individuals accessing pr0n or for pr0n in email.

Their goal was to present this information during the next directors meeting, and ask for more headcount and funds.

However, everything backfired. After 60 days of logging traffic, they found that ONLY a few individuals were accesssing pr0n and those few were Directors themselves.

Do as I say, not as I do:)

As far as feeling morally opposed to going through email, I would explain that binary attachments are really the only thing necessary to check for. This may not be true, but this may prevent you from going through peoples mail. Just verify that their attachments are not images.

peaCe.

Of course you could do the above, find that the only problem users are directors, and HR will drop the issue in a HOT SECOND!:)

Re:Fighting the system (Add your tips here)

[hime]

Do you work in a lousy cubicle where you have no real work but have to tap the keys and pretend to be busy? Do you have a clueless boss who only tries to "keep you busy" but who doesn't (and can't) understand what you do?

About a minute after I read this, I got the "Life In Hell" reference. :)

2) telnet.
Most places don't bother to monitor telnet. I was at a place that scanned web/e-mail. The first thing I did was login to my ISP's shell account. Once in telnet, I used lynx, irc, pine, etc. to spend the entire day in blissful entertainment. This is one of the best options left.

Would that my company didn't block telnet like 2 years ago - I used to be able to when I was on this network ring. Then they split my project onto a different network ring - telnet blocked. Now I'm on a different project, but telnet is still blocked over here. But now I can bring in a modem! :) They did just put in a fucked up (redundant?) proxy server, though. And you should see the things I have to do to get Bovine working, since it refuses to work through port 80 for some reason.

Writing/Enforcing the Use Policy

[Fringe]

I wrote into our Network Use Policy that porn, etc., are forbidden and that using email or the net for them is a firing offense.

However, I also wrote into the policy that we will not investigate or snoop without a formal request from at least one "executive". (Director/V.P. level, of which there are three here.)

Lastly, the policy is also that we do not permanently archive email except for that saved to the "permanent archival" area, and we do not cache URLs. While this does open the door to violators covering their tracks, it does close the door to a large degree on our liability... because there aren't records we should have been checking.

If a user is under suspicion by a manager, proof is not needed immediately anyhow. The appropriate action is for that manager (or H.R.) to have a conference with that user to say: "There have been some complaints. We have not verified their validity, but you may want to be alert and careful."

Unfortunately, many H.R. people (and middle-level managers) are petty enough to prefer to bash people rather than getting on with solving the problems.

Re:If privacy is explicitly NOT given...

[Fringe]

Yes the company owns the bandwidth, the server, software, but do they actually own a piece of mail? I think if it is sent to the company and not an individual, then yes, otherwise, no.

If the mail is to or from a representative of the company, as indicated by the email address, it is company-business and therefore not private to the employee.

In other words, if the employee sends/receives email from their ISP account at work, that mail is theirs. If the employee works for FiggleDat, any sent/received mail to JoeEmployee@FiggleDat.com is company-relevant.

This is especially important considering the company may be held responsible for abuse from that account... such as inappropriate postings, propagation of child-porn, or even just damage to the company reputation.

Why is this even an issue?

[ZxCv]

I can't believe something like this is even an issue. If you were talking about private E-mail accounts that people access at home, that would be different. However, you are talking about company E-mail that is intended only for conducting business. People that use it for other than business, particularly when there are specific policies prohibiting such activity, are playing with fire. And we all know what happens when you play with fire...

As far as the privacy issue, I don't think that really applies here. Because it is a company email account, it should only be used for company business. Doing so means there is nothing private to be concerned with. Your concern for privacy is certainly admirable, but I obviously don't think its very applicable in this situation.

So grab a beer and that Perl book and get crackin.

Re:Why scan for porn?

[felix]

I believe you are only liable if people were notified of the problem and do nothing to prevent it. First time it happens you should be ok - it's all about repeated events.

At least that's what our harassment training guys said. And that makes sense, too.

NOT!!!

[Bilbo]

Grow up! That is a REALLY good way to get not only fired, but blacklisted too. I know I wouldn't hire anyone who acted like that. Are you really stupid enough to think something like that wouldn't pop up and bite you in the future? People do make complaints about sexual harrassment.

Quit if you think you must, but don't lie about it!!!

Re:NOT!!!

[Steve+B]

By lying about the scan or notifying the employees of the scan in advance without the permission of management you are demonstrating that you are untrustworthy.

Only Elmer FUD would try to lump these two concepts together. Lying about the scan demonstrates untrustworthiness, to be sure. OTOH, sending out a general notification (along with getting the directive to do the scan in writing and signed, having the directive include nit-picking detail on what is prohibited, procedures for handling claims of unsolicited/accidental pr0n access, etc) is essential self-protection.
/.

Re:NOT!!!

[Ronin+Developer]

Agreed. While I admire personal conviction, it amazes me that there are so many sysadmins on this list willing to risk their jobs and professional reputations by being dishonest.

As a sysadmin, your position involves a certain degree of trust. By lying about the scan or notifying the employees of the scan in advance without the permission of management you are demonstrating that you are untrustworthy. I, and most executives, would personally would fire you on the spot for such behavior (remember, employment is AT WILL of the employer).

While I am an advocate of personal privacy, corporate e-mail and PC's are just that, corporate property. Unless your company has a written policy stating otherwise, consider the information stored on company owned PCs or gathered via corporate resources (i.e. network) corporate property.

We have a policy where I work that personal e-mail will not be scanned and is considered private except in the rare situation that we need to gain access to mail for professional reasons (i.e. you're hospitalized or dead or on extended vacation and can't be reached and a very important contract resides on your machine).

But, we also have don't permit our employees to access pornographic materials (i.e. websites). If caught, you will be disciplined and possibly released.

If, as sysadmin, you feel the need to notify the employees, get the permission of those requesting the scan first (and HR..notify HR first!). CYA and be professional about it. Then, send out a notice outlining the company policy once a month. If people want to risk the chance of getting caught, then so be it. But, they were warned.

It's your job, sadly enough

[Black+Rose]

No matter how much you don't like to do it, it is your job. The company owns the network, therefore, they 'own' all the data on it as well. Post something to an internal list/newsgroup that the email will be scanned as a warning, and scan a week later. If it's corporate, it ain't private.

Re:You don't have the privacy right (nor should yo

[poink]

The proxy log would show the hit to licos.com (or whereever) that happened first.

Oh bull..

[dcm]

IBM does not scan everything. That's crap.

How in the hell would someone at Microsoft
know that?

Nice try.

Re:Are we moral sensors now?

[sinator]

I think that sexual molesters have, by their actions, waived their rights to being offended.

as long as it will be a threat to my kids, 'it' is what it shall be.

No, the law IS VERY relevant here

[slouie]

Any company that has either been hit or threatened by a sexual-harassment suit has to prove that they have done their best to insure that the work environment is not sexually-hostile. That includes removing pornography where reported and try to ensure that it doesn't happen again. Companies no longer tolerate centerfold pinups on the wall, they should also expect not to find it on your 21" screen.

Otherwise it's a possible million dollar lawsuit for the company and someone's job out the door.

If the sysadm feels that the scan is a problem, that person does have the right to say "no" and suffer the consequences. Personally, I'd just explain to HR how technically complex the task is, get them to send out a email memo announcing that company policy explaining the right to scan the system for porn plus the consequences, and not do the scan. Most folks will get the idea and delete it if they got it. Those who don't and get caught later showing it off, well, they get fired.

Remember the slacker sysadm concept for today to provide maximum results for minimal work. Sending an email warning will do in this case.

-S. Louie

McCarthyism: a term abused

[Dictator+For+Life]

What you've just suggested is the epitomy of MrCarthyism. Ratting out a few people to get yourself off the hook.

Err, this has nothing to do with what Joe McCarthy was after at all. Sure, some of the people who came before his committee may have behaved in the way you describe, but McCarthy didn't "rat out" anyone to get himself off any hook. He wasn't on any hooks (until the establishment took offense at his activities).

My point is neither to defend nor criticize McCarthy nor the original poster; let's not abuse what "McCarthyism" has come to mean (rightly or wrongly). McCarthyism refers to a so-called "witch hunt." The fact that some people preferred to expose other communists in exchange for leniency themselves is rather different. It's more like moral cowardice -- and if anything may be said of McCarthy, he certainly had the courage to pursue his convictions -- whether you agree with him or not.

Re:McCarthyism: a term abused

[Peyna]

I meant exactly what you said, and apologize for my use of the term "McCarthyism". I did mean the fact of the result of what McCarthy did, being that people would rat out their friends to save their own asses. Sorry bout that.

Suggestions...

[kolla]

Tell the witch-hunter to scan through all the offices for porn mags, see how popoular that is
Tell him it's not your job to monitor if people work or not, tyour job is to make sure the systems work.
Do you really want to work for a company that bothers with porn? Quit, get a new job :)

Things to watch out for

[dave_aiello]

I can't say if I would or wouldn't do it, but here are some things I would mention to my bosses if they asked me to do this:

1) If you work for a multinational, ask if management has asked Legal to determine if the new policy violates the privacy laws of the European Union. The EU privacy laws are slightly different in all member states, and they are much stronger than workplace and/or customer data protection laws in the United States.

2) If any of your users are known to be registered as contacts in the Network Solutions Whois database, they are almost certainly getting solicitations from purveyors of adult entertainment. Since many companies are not willing to disregard all inbound mail of a questionable nature, you probably ought to push for an specific provision in the policy which deals with this situation.

3) Many companies are moving to e-mail retention policies with extremely short holding periods in order to limit legal liability. I used to be against these, but I am starting to see the benefits when I think about the alternative of having to scan the content of mail messages.

Good luck, because this sounds like it won't be fun any way you slice it.

how about scanning web proxies to read webmail?

[Obscura]

Subject line sez it all.

Some companies are reading your mail and your webmail.

-Obscura

If it goes one way, it goes the other way too.

[Pig+Hogger]

The company I work for and their clients - for whom I'm sysadmin :) - have as much right to make sure nothing they disapprove goes on **THEIR** network as I do have the right to do whatever **I WANT** on **MYOWN** network at home.
I do not have the slightest tremor in my conscience when I am asked to go look at an **EMPLOYEE**'s mailbox for illicit (as per the company's policy) stuff.

-- ----------------------------------------------
Vive le logiciel... Libre!!!

Re:Electronic Communications Privacy Act of 1986

[sachmet]

"Amends the Federal criminal code to extend the prohibition against the unauthorized interception of communications to specified types of electronic communications. Prohibits unauthorized access to an electronic communications system in order to obtain or alter information contained in such system."

The thing to note, though, is that it's unauthorized interception and unauthorized access. Since they own the server, they authorize themselves to access the information on the system, and hence, it's legal for them to do.

Re:Fighting the system (Add your tips here)

[KyleCordes]

Alternatively, you could use SSH instead of telnet, which is good idea anyway.

(The real point of SSH is generally to keep people "out there" from sniffing names and passwords, I doubt the people that wrote telnet had in mind needing to use it to prevent packet sniffing by your own local adminstrator!)

My experience

[trabic]

I was in a similar dilemma to yours:
I work for a company of about 600 people. One day when our Novell servers were running out of space I took a look around to see what was taking up so much space. One of the things i found was a young man in our accounting dept with about 500 megs of pr0n on his network drive.

I decided to deal with it privately, told the guy to get it off (NPI,) and warned him of the dangers.

anyway, it worked for me

What worked for me

[mikeraz]

I was put in the same position with respect to web surfing when I worked for a bank. The agreement that people signed to get web access included a disclaimer that their surfing was subject to monitoring.

If your company does not have such an agreement in place, you should work with HR and perhaps corporate legal to get one in place before scanning. The possibility of an invasion of privacy lawsuit is sufficient cause - it's expensive to defend.

Our ultimate policy was that it was a matter between employee and supervisor. So a summary report of web activity was eamiled to supervisors. The report compared an employees total web access against the average web surfer at the bank. Those people in the top 10% of activity were flagged. To the best of my knoweldge, most supervisors just deleted the message without review.

Points about porn.

This was before nanny filters, so we generated our own list of blocked sites - this might be good for you.

Our corporate security department required scanning for people hitting porn sites we hadn't blocked. There were very concerned about a sexual harassment lawsuit, on the grounds of a hostile work environment.

If you sent someone an email pointing out that their visit to www.hotporn.com was recorded they usually stopped.

Re:The law is irrelevant here

[Stiletto]

This should be moderated past the top. Very informative, and good advice. If it's against your ethics, quit. If you are a competant sysadmin, you will have no problem finding another job, and make sure you tell your new company why you quit the other one!

Re:You don't have the privacy right (nor should yo

[IcI]

Privacy on hotmail? Obviously you didn't read the news from the day before. If a company has an established policy about this, all new employees should be informed during their first day tour of the office (or during the interview). If they want to start this kind of policy, inform user timeously so that they can clean up their act.

Re:Corporate vs Individual Rights

[matt[0]]

No, they don't have the right...no more than your landlord has a right to randomly enter your apartment and check your wife's underwear drawer for drugs...its like a rent agreement.

Re:Corporate vs Individual Rights

[matt[0]]

Oh, well, in a corporate environment the company does have the right to read your mail, I was talking about the ISP kind-of relationship where you are essentially leasing services. It seems to me that there should be confidentiality there, unless of course they are provided with a subpoena... (I hope....)

What about accidental porn?

[mattc]

What if someone gets porn in their mail as spam? I've gotten porn spam numerous times and I definitely did NOT sign up for it!

Openness

[azz]

One solution is to make everybody use an authenticated proxy server, as that allows you to see more-or-less who's been looking at what. If you're really in a BOFH mood, borrow a video projector and tail -f the proxy's log file onto the wall in some public area.

"I want to use software that doesn't suck." - ESR
"All software that isn't free sucks." - RMS

Re:Phone calls vs. E-mail

[cjs]

Recording of phone calls is quite typical at many companies. At the investment bank where I work, for example, all calls into or out of the trading floor are recorded, and random calls to or from other phones are recorded.

cjs

Corporate HR - idiots, all of them

[joshv]

Having worked in IT within a number of large corporate HR organizations I can say unequivecally that not a one of the corporations had a clue with respect to the Internet and a proper usage policy.

Number of points:

1. Scanning incoming emails seems dumb. I cannot control what I receive. I have some friends that send me some pretty foul crap.

2. In general internet/email usage should NOT be an issue of monitoring and logging. If your damned managers don't know what their employees are doing until some tech-weenies gives them a web access report the manager should lose his or her job. Employees can spend all day on the phone, or playing computer games, or talking at the water cooler - the internet is nothing new.

3. Why should HR care if someone is downloading porn for four hours a day as opposed to surfing for beenie babies on eBay for four hours a day. I mean if the idiot is showing it to other co-workers then treat it just like they had brougth a hustler into work, but if it is only on their monitor, HR should not care what it is.

It seems idiotic to me that someone who spends a few hours a day reading their hotmail can skim under the radar, while one hit at playboy.com can get another person fired. Again these HR droids do not have a clue.

4. If they are worried about usage from a capacity standpoint (too many large attachments) put a cap on incoming attachment sizes (from the Internet) - this should stop most of those cutesie executables that everyone sends around. Just plain text emails from friends are never going to tax their capacity.

What employees can do to protect themselves:

1. Don't use your company inbox for personal email. Get a yahoo or hotmail (I know, I know) account and access it via the web. If someone looks at a report and wants to know why you are using hotmail, tell them you have used that address for work related requests for literature or vendor information or on work related discussion groups, so you need to check it on a regular basis.

2. (common sense)Try to limit Internet usage at work and do not even think about hitting a porn site.

3. Many times usage reports list heavy users on top, and try to estimate usage time based on surfing patterns. Try to stay low on the list. If you have a lot of email to send (via a web email service), type it up before hand in a text editor and cut and paste it. If there are web sites you regularly visit, hit the major pages you read all at once and then go back and read the pages from cache.


4. If you do happen to get one of those 'access forbidden - incident logged' errors on what you thought was an innocent site, record the date and time, and the address of the site you thought you were accessing, and what you thought it was. You might need to explain. In general don't guess at addresses, or go to an address which you are unsure of.

5. Know your company's Internet policy, and if you are not a techie, or are a techie in the wrong department, get to know the person that is responsible for generating usage reports. Information they give you can help you slip under the radar.

6. In general, the bigger the place, the easier it is to avoid attention - be extra careful at smaller companies if they have a logging system in place.

-josh

Ways to play the game

[$Bob]

There are a couple of ways that you can work around this.

A) You could simply ignore HR and do nothing (but say you did)
B) You could do the scan and fake/ignore the results
C) You can warn all the users ahead of time, giving them time to clear their mailboxes and making it clear their privacy is not guaranteed in the company (All Hail The Company!). By that time the scan becomes an almost moot point.

A and B will likely get you fired if HR finds out. C will technically be following through HR's request, but you will annoy a number of people on both sides of the fence.

Unless you can beat HR, this is a no win situation.
_ _ _

Re:I caught my employer reading my email

[Timmy+TP]

Sorry to hear that you were betrayed by your employer. Had I been in your shoes, I might have quit. It would depend on my taste ( or distaste ) for my current employer/job.

In regards to how the IS guy should deal with the scanning for porn problem. I think that the best policy would be to warn the masses two or three times. Give them plenty of notice to stop the incoming offending material. Then when the scanner gets hits send notices both to HR and the employee. The nature of the material and ones relationship to the person receiving said material could result in a not-totally-unbiased reporting of incidents.

Did that make sense?

I'm probably going to seem righteous, but I'm of the mind set that has nothing to hide, so let them scan.

I've read and signed the Internet Policy here at __ ___________. I sometimes get offensive material (jokes, pictures, ...). I think most employers are more worried about keeping harassement cases to a minimnum, than keeping employees hands off their peckers.

Re:You don't have the privacy right (nor should yo

[N1KO]

What does that mean?

Re:France and Privacy

[kevlar]

The minimum you can hire someone full time for is 2 years in france... Thats the way to get your economy kicking.
"I will insist on taking whatever I can from the government or other citizens"
-Frenchie

Re:France and Privacy

[CopiceC]

The last time I tried to "come to France" the whole damned country went on strike!

quit the job

[josepha48]

Unfortuanately, the company network is the companies property and it is the companies email. At least in the US AFAIK. Yes it is an invasion of privacy to your users IMHO, but it is the company lan, and is for business purposes. I believe there was a company (I wont say the name but they are a consulting company) that got sued because its employees were found to be discussing the project in there emails, and they had nothing good to say, they were telling all the problem to outisdes, an dkeping the client in the dark. There email was used in court trials, in the US. Look at the Microsoft trial, the email has been used in court. Internal Microsoft email I believe. This is done all the time in the US, it is often downplayed thou.

Yes, this sucks!

However it is not a sysadmins job to scan and read email. It is your job to set up some utilities to send email with certain words in them to you, or an appropriate person. This is ofcource if the company requests it.

Personally, the company that I work for found this to be an incrediable waste of resources. We have 7 buildings in my home area, and a global network. There are just to many emails traveling thru our networks to track it all, and it would be a full time job searching thru email. They tried, and now it is just if you walk up to someones machine and they have porn on the screen then they get busted.

Yes it can be done, but as I said it is an incredable waste of resources. You should inform the human resource people that you do not have the time to search thru email, and that if they insist that you do this that they increase your pay as it will increase the amount of work that you do. Or just tell them you'd quit.

Sysadmin jobs are a dime a dozon, while sys admins are not. Just look in the papers today, there are plenty of jobs in most major cities in the US, and for someone with experience, you can leave the company and not have to put up with that.

Better in than under the jackboots!

[swb]

HR asks for this all the time, although not for porn, but in respect to particular "issues." I'm kind of opposed to the Orwellian nature of it, but at the same time it is the company's equipment.

It's kind of a bug hunt, really, because I never find anything particularly incriminiating and I waste hours of time reloading old backup tapes and so on.

However, it is kind of fun to scan people's email. Most of it is boring as hell, but once in a while you come upon some really juicy material (totally unrelated to the probe in question).

HR's attitude is kind of funny -- they're almost GLAD I can't find things sometimes. It's kind of like, the less evidence there is, the less likely there is anything incriminating that can be used against the company (although the less than can be used against the employees as well).

I guess when it comes down to it, you can either be under the jackboots or in them. I'll take the latter every time.

Totally illegal in many countries

[TA]

I don't know how things are in the U.S., but what your bosses are suggesting is absolutely illegal in many countries including my own. As it's illegal it can't be "overruled" by company "rules" either -- I remember a case where a managing director was charged and convicted for reading employees' email.
In general email should work exactly like snail mail, and it should go like this:
- If the snail mail is addressed to
company name
person's name
address
then the secretary or whoever opens it and registers it and everything. However, if the employee's name is at the top and only then followed by the company's name then it's personal and the secretary or anyone is absolutely forbidden to open it. A company can't just decide on it's own that any envelope coming in their door can be opened, whoever it's addressed to. The bank, the authorities, whoever, is allowed to send private post to any address, even if that just happens to be a company's address. They can refuse to receive it, but they cannot receive it and then open it. With email it should work like so:
- any personal email address is personal, and it's up to the employee to decide that this is company mail (if so) and forward it for archiving (if that's the practice).
- non-personal email should always have a non-personal address, e.g. project-X@company.com, support@company.com, internal-jokes@company.com etc. These addresses can work like internal mailing lists and can be automatically archived. Thus no need for intercepting and storing everybody's email either (another very bad and, in this country, illegal practice). If the company don't want the employees to have truly private emails then the only thing they can do is to refuse the employees to have personal email addresses. Fair and simple as that.
TA

Re:Are we moral sensors now?

[miscellaneous]

Or maybe we'll just use 'her'.

Or maybe ta (1).

You're right. But privacy's dead, anyway.

[Zico]

Dead right -- it's the company's equipment, and you're paid to do work-related things, not wank around on the job.

Yeah, I know the above's redundant, but I wanted to show a little support for the position as well as mention something I saw on TV tonight.

Congressman Bob Barr was on the Fox News Channel tonight (on the O'Reilly report) discussing ECHELON. He said that the House Intelligence Committee summoned a National Security Agency representative before their committee to (1) explain exactly what it is that they're doing, and (2) explain why they're doing it. The NSA official refused to answer any of the questions, invoking attorney-client privilege.

Kinda makes you wonder if the agency is accountable to anyone. So basically, nevermind the workplace, it sounds like those of us in the USA, UK, Australia, and New Zealand have had our right to privacy taken away from us anyway. I wish I were confident that my PGP- and Blowfish-encrypted stuff was safe, but I've got the feeling that the NSA can break those if they really feel like it.

Cheers,
ZicoKnows@hotmail.com

Message Board

[unx]

This is completely and totally legal, and ethical. It's my computer(s), so I'm gonna know everything there is to know about it, from your logon/off times to a spread of your most commonly accessed webpages from that machine.

[Seriously guys, what kind of moron looks at porn from work? The kind that needs to be *fired*!]

If I were in this guy's position, I would take a gentle, fascist approach. Since the Company wants to know what's on the Company's computers, and all employees of the Company are part of the Company, all employees should know the results of porn-sweeps.

Create a public message board, in a main breakroom or hallway, and post the results, sorted by name, of potentially offensive emails and files stored in all employees' work systems and mailboxes.

[Now, if the HR people *happen* to get subscribed to the Naked Amputee Chat mailing list, wouldn't that serve 'em right?]

Heck, once this plan goes into effect, broaden your power! Bug all phone-lines and Icecast them! Monitor everyone, and broadcast it on the local lan! Webcams in every office! In the restrooms! (That way you can find out who's been leaving that horrible noxious vapor after lunch...) Infrared those cameras so that everyone can see who's been farting in the hallways, and who gets aroused around the secretaries! PEOPLE HAVE A RIGHT TO KNOW THESE THINGS! Contract some ex-NSA spooks to follow all employees home! Force your hired spooks to sleep under your employees' beds, in case they talk in their sleep!

BRAIN IMPLANTS!!!
HIRE THE PSYCHIC NETWORK!!!

Re:Message Board

[herb_korn]

ROTFL!! I love it. :) Now THAT sounds like a fun workplace!

Re:You don't have the privacy right (nor should yo

[Peyna]

Isn't it Veni vidi vici? Or was that your point?

Re:You don't have the privacy right (nor should yo

[Peyna]

I think that it is "I came, I saw, I overcame." or something, but I could be wrong.

Re:Corporate vs Individual Rights

[Photon+Ghoul]

And maybe that was the point of my original post.

That's the way

[Photon+Ghoul]

Now that's a good attitude. By the way, _who_ is really doing the whining (notice spelling) here? Looks like it's you buddy...

Re:France and Privacy

[Photon+Ghoul]

I have a new respect for France.


Remember - it's corporate vs individual rights.

Cleaning up Web pages

[BurritoBoy]

On a similar topic, I was recently asked to clean up the web pages of an employee who had been terminated over said web pages. It was pretty minor stuff like links to the Bible and various political sites. When I was asked to clean up the pages I demanded that they tell me exactly what to clean up as I didn't want to be the one making the judgement on what is right and wrong.

Scary times.

Don't sweat the small stuff

[Master_Cylinder]

Go ahead and do the scan. There is no ethical reason not to. Employees are there to work not exchange dirty pictures. Make the requesting manager(s) specify, in writing, the criteria for what is and is not "porn." Tell the you need very specific criteria to effectivly locate the offending files.

Hand the results off to management and let them deal with the legal repercussions. Expect PGP to get real popular on your network...

Re:Are we moral sensors now? - statistics

[rark]

It depends on how bored I am :) sexual offense stats of any type (but esspecially rape and child molestation) are hard to compile accurately, both because of rates of reporting and because of definitions.

I don't have any quibbles with your figures, they just add weight to my argument, which was that after reading slashdot, where the great majority of the conversations do assume that the default gender is male (which I rarely quibble with, because I see it as pointless, even though I'm not male) suddenly some person is complaining about how sexual offenders, whom by *anyone's* numbers are by and large male, are being defaulted to male.

it was the utter and complete illogic of it that hit me...

Re:Are we moral sensors now?

[rark]

I find it very interesting that after reading several K worth of comments that assumed that readers were male, that employees were male ('guys ' is as gender neutral as 'him') etc etc, the only complaint was when sexual offenders (of which 70% to 95% [depending on where you get your numbers] are male) were referred to as male....

hmm...

interesting indeed.

There IS another view-point to this...

[Mindwarp]

Companies (especially large companies) are now, more than ever, likely to be involved in sexual harrassment lawsuits. If a charge of sexual harrassment is brought against a company, then that company will be investigated - this can include searches of that companies file and mail servers.

If any pornography is found on any company systems then that will be used in the court case to show that the company was negligent in meeting its sexual harrassment prevention obligations. In fact if I remember correctly (IANAL of course) this has already happened in a couple of high profile cases.

We live in litiguous times, and this unfortunately means that sometimes companies have to take strong actions to protect themselves.

Flame away...

Company property?

[orcrist]

I dont really buy this company property b.s. As someone pointed out above, if they buy you a notebook (as in paper), do they have the right to look at everything you write in there? It seems to me that the right to privacy does not disappear the second you're on company property. I'm sure an argument can be made that the company is allowed to monitor your work; but reading all your correspondence? At the very least they should warn everyone explicitly that e-mail is going to be checked.

The way I see it, the bandwidth may belong to the company, but what you write doesn't automatically belong to them. Imagine your wife visits you at work to tell you something important (and private); does the company have the right to eavesdrop on your conversation? Afterall, you are on company property (breathing company air). The exception to this might be an extremely security-concious company, in which case they damn well better tell you that they're listening to all converstations. I think the same would apply to phone conversations. As far as I know, a company must tell you specifically that phone calls may be monitored (I may be wrong about this), so I don't see why it should be any different with e-mail.

That being said, if they do warn everyone I guess they have the right, but I sure wouldn't want to work there. I got enough of that shit in the Navy. If a company can't tell whether its workers are doing their jobs from results, then maybe someone needs to monitor the management's e-mails to see if they are doing their jobs :-)

chris

Re:Company property?

[radja]

No idea how it is somewhere else, but in the netherlands a company isn't allowed by default to view your email etc. Now if it is in the contract you signed when you got employed there.. that's another matter. If it isn't, well.. then it's your privacy :)

why must everything have a glib response?

[AshleyB]

Does every problem have to have a solution that screams out "Look how smart I am in dealing with this problem so as to cram my opinion down everyone's throat!" Signing up the HR department to porn lists and then scanning them...weeeeeeeeeeeeeeee! That'll show 'em.
You know there is nothing in the world that is an attack on your way of life like people making sure that you are not abusing THEIR property.

Re:why must everything have a glib response?

[demigod]

I'm not sure I understand what you mean when you
say "abusing THEIR property". Are you saying using
their network/systems for other than company
business? If so I'm not sure if that's abuse or
misuse. If not ... what are you talking about?

If they want to fire people for using company
resources for other than company business fine.
I think they should fire people who do a lousy
job first and then deal with what's left, but
if they what to start with abusers/misusers then
they should be as willing to fire the old lady who
uses their equipment to correspond with her grand
child at MU.

Re:why must everything have a glib response?

[Dwonis]

You noticed too?
--------
"I already have all the latest software."

Re:Fair Warning

[atomly]

But this is just a step in that direction. The fact that your company can use the excuse that because they paid for the bandwidth they own the mail is scary. If my company buys me a notebook and I write something offensive in it, can I be fired for it? Do they have the right to search a bag if they buy me one?

Privacy in Corporation

[Surak]

Well, at GM there is a disclaimer on all login prompts that says something to effect that ALL communications are monitored. The company policy is essentially that because GM pays for bandwidth, equipment, etc., that personal communications of ANY kind are strictly forbidden and that all e-mail, WWW traffic, etc. can be scanned.

That being said, I don't think anyone at EDS (who does most sysadmin work at GM) actually scans the network traffic unless they believe there is a security breach of some kind.

How GM deals with the issue is that 1) it assumes that GM employees and contractors are professionals and as such are somewhat trusted to behave professionally and 2) not everyone automatically has Internet access, including access to e-mail: you basically have to have a business case. Most people with PCs have e-mail, but this is not the case for other forms of Internet access.

Finally, when it comes down to it, if you simply cannot morally abide by it, either A) refuse and stand up for your morality and get fired if thats what it takes (at least you will have your integrity) or B) tell them you're scanning but don't. B is a cop-out, IMHO: that option, in and of itself is morally corrupt.

Another option is to simply quit: there are lots of other system administrator positions available. But don't count on the other company to not put you in the same situation: its becoming increasingly commonplace for companies to scan their network activity.

UK court ruling => private phone calls at work

[Swamp]

A recent UK court ruled that employees were allowed to make private phone calls at work on company phones --- no URL, sorry. But, extrapolating, this implies that employees *could* be permitted privacy on the net at work, in the UK at least.

Anyhow, if you *really* need privacy, why not use hushmail and/or other encrypted web services?

Re:UK court ruling => private phone calls at work

[twilight30]

I just recently returned to Canada after working in the UK for five years, and I found my experiences at two separate companies to be instructive. The first job was at a temp agency's head office, where they expressly forbade people from using the e-mail system. I found a way around it, and friends used to send me porn and jokes quite liberally for about a month. After that I called in sick and of course management decided to go through my files. They actually were far more concerned that I had found the place a hellhole, and they expected me to apologise. They didn't receive it, and I was fired the same day. OK, so I was stupid. I learned.

The second place I worked at was far more liberal, at least at first. It was a large media concern, and some of the things people got up to were quite worrying to watch, especially given my previous experience. I kept my nose clean for the most part but felt very much more relaxed.

All this changed when the IT manager, who was/isn't terribly good at her job, decided she needed to justify her existence to the powers that be. Suddenly all sorts of 'company memoranda' started to fly down the pipe about 'our new company policy', and people became very worried indeed. When that national ruling came out, management's reaction was one of 'We don't care, we need to limit our liability.'

The following week, ironically enough, one of the IT guys was asked to cc himself all e-mails coming into the system. The Monday after this was implemented, our entire e-mail system broke down (using NT, of course) as a result of this one guy spamming himself to death.

Management then decided to monitor web access. By this time I had decided to leave for other reasons, but I did notice that the firewall system suddenly had gained the ability to restrict all sorts of nonpornographic sites for the flimsiest of reasons. For example, my director had to go to the Sunny Delight website, and was blocked from getting to it. Why? Because it had the word 'Delight' in it.

My feeling is that implications of privacy vis-a-vis the Internet will probably carry no weight; it will take a dismissal and resulting court case before the UK will have anything resembling clarification on the issue.

This has been asked of me before....

[SPiKe]

When it happened to me, I raised a big stink.

What actually happened was I was told by an admin with more seniority to provide a log of a user's e-mail activity. It was an order handed down from the COO.

I asked for a valid reason. None was supplied. I refused and went to the CFO and the Vp of MIS. They then implemented a policy of checks and balances, that any decision about invading a user's privacy had to be signed by them and put before the CEO.

I'm still there, 6 months later (can't say I will much longer). Of course, we have a pretty liberal group of individuals in management (except for the aforementioned COO), I'm considered the golden kid, and it has a bit of a family atmosphere there.

The employee, well, the employee was fired anyways. But I may save others privacy.

As for me, I "accidentally" violate people's privacy. sometimes I notice some exec's personal assistant mailing someone in one of our subsidiaries (who she has no business talking to).

Legality is not the issue.

[jaffo]

It sounds like company policy is pretty straightforward. Now, it depends on how this policy is given to the employee...if there is a rule book somewhere they can go look at if they (the employees) want to, there is a defense against the intrusion. If, however, there are flag's (motd's) banners on the bulletin boards, etc. explaining this, then there is NO reasonable expectation of privacy. Hey, the company owns the computers and has some sort of jurisdiction over the content. Not the best answer, but legally they might have the edge. I would ignore anything that is not illegal (child pronography, etc.) or not major abuse (i.e. 10+ images a day, etc.) It's just like playing solitaire on the Win95 boxes, wasted resources..... my $0.02 -Jaffo

What is porn in Email? (CDA Redux)

[KFury]

Somehow the comments drifted from porn in email to porn surfing. I'll be brief and limit my comments to three:

First, what is porn? It was only a couple years ago that a wife (girlfriend, boyfriend, what have you) writing to her (her, his) husband mentioning that she (blah) bought a new nightie and was going to wear it tonight would be pornographic.

Second, is it legal for a company to go through the email on the computers it owns without reasonable cause or suspicion? Yes. Is it legal for them to terminate someone for one of the above emails? This depends on the circumstances, primarily on whether the employee signed an employee handbook and exactly what was in it.

Third, if you, as the sysadmin, start romping through computers, you have to be damn sure of what you're looking through. If you scan someone's home machine they brought in to work, or RAS'd in to the network, a personal hard drive hooked up to an on-site company computer, or even a personal floppy or jaz, that person could sue for invasion of privacy and though the target would most likely be the company, it doesn't take Stephenson to figure out that you might be the next target in the witch-hunt-of-the-month.

Re:Web Serfs

[mindstrm]

This has nothign to do with the 'rights of corporation'. Whether it's the companies private PBX, email system, file server, what have you, pretty much every single employment agreement/employee handbook states clearly that THE PLACE OF BUSINESS is NOT FOR PERSONAL USE. That means TELEPHONE, that means EMAIL, that means FAX, that means the photocopier, the pens and paper, even the goddamn filtered AIR! and the WATER COOLER! It is all paid for by the company, for you to use in the capacity of doing your job. The fact that those same resources allow you to get porn doesn't give you the right to do it.
This isn't like they are interfering in your private life. You are at work, doing work.

Different Laws

[mindstrm]

I realize there are many laws regarding email, and it is very unclear.... but the fact remains.
Whether it is the journal book on your desk that the company gave you to record notes in, or the memo pad they gave you to write memos, or the email account they gave you for company purposes.

In most company networks, there *is* no expectation of privacy with regards to email, or at least, there shouldn't be. Not if it has been stated up front. It's not your personal email account. It's an account belonging to the company, and you happen to be authorized to use it, and it has your name on it.

As for refusing to do it based on privacy.... There is another way to approach it.
As I said, if it was declared that email is company property, for company business only, then
t *IS* company property. If they said that casual personal use was allowed.. they may have to be more careful. *may*.

Privacy in communication is necessary, but absolute privacy within the company is not.

My personal belief is that the only time snooping should occur on web traffic and/or email is when investigating some issue related to espionage, breach of NDA, etc, and should be done with very much courtesy for people's privacy. Personally, if the network allows you to look at porn at work, technically, and you do.... HR shouldn't be on a witch hunt. If people are meeting their goals, then HR shouldn't have a problem.
Granted, the company has the right to scan their servers for whatever they want... it's up to you as an administrator if you wish to either
a) change their policies or
b) not work for them.

The real problem

[mindstrm]

I think the real problem with this sort of thing isn't the fact that people are scanned, but what is done with the information.
If Mr. Sysadmin is doing his scan, and sees a few naughty-but-mostly-harmless web sites or emails, or sees that someone is developing a bad porn-mailing-list-habit, they should be informed, casually, that this behavior could get them fired and that they should cease and desist. This information should go no further, unless it repeats. I realize this doesn't fit the standard company mold, though.

All too often, it is some semi-technical type in HR that wants to see the compelete log file, to analyze who is looking at what, and then they go balistic, looking to fire people for wasting company time. They see a dozen hits to CNN and think that the employee is 'slacking off'.
If an employee is really slacking off, it would be their dept. manager that should notice, as their work will be no good. The network admin should notice if large amounts of network resources are disappearing, and should investigate. There should be no wich hunt, though. After all, the company doesn't check every single piece of paper and doesn't record and analyze every single phone call.
Yes, the company *does* have the right to read everything... however, how the choose to exercise this is a matter of PR.

Note: It should be the goal of any modern HR dept. to already know how to deal with these issues without going on a witch hunt. If they are going on a witch-hunt, this shows backward thinking and you should maybe rethink your HR policy.

Re:IF then only outgoing

[mindstrm]

No, one cannot control what others send them. That is why any scanned results must be taken in context, in private, to decide what it really means.

your company email

[sean.k]

should not be considered private. If the company has this in its acceptable use policy then that's that. No one says you have to report any hits to the powers that be, but if you're supposed to scan, you should at least have scanning software in place. Someone might bring a lawsuit against the company that requires scanning of email.

Why scan for porn?

[dave_bennett]

This is not an unusual request and I wouldn't give it any thought at all. Do your job.

If employee X is viewing porn and employee Y sees this, and is offended by it, the employer is liable for protecting employee Y, not safeguarding employee X's "privacy" or "rights". Our company has been hit by this and it is an open and shut case in the courtroom with employee Y a winner every time.

In fact, the newest scam is for an employee Y to just take a job at a place with the intent of pulling such a stunt.

A variation of this scam is for a Customer to enter a business. They see PCs in place and in casual conversation ask if they have internet access. If the answer is "yes", the Customer later files a suit against the business claiming they were exposed to pornography while "shopping" in the business. If a review of the legally obtained cache files and the cache index file of computers visible from where the "customer" says they were standing reveals porn sites were visited at some time, another slam dunk and the business loses.

It is not going to be unusual for businesses to request what they have of you. Get used to it. They are trying to cover their butts.

Dave Bennett
Chief Information Officer
Inland Truck Parts Company

The Best Way!

[richone]

Subscribe everyone in HR to pornography email picture lists. Turn them in. Work with the new HR folks for different policies. If they don't work out. Do it again. Information is power. You control the flow of information.

Re:The Best Way!

[Dwonis]

You'll slip up somehow, and get caught. Then what?
--------
"I already have all the latest software."

The company does have the right to snoop, but...

[meldroc]

As much as I hate seeing companies playing Big Brother with their employees, I have to concede that if you're getting paid to use the company's machines to get work done, they have the right to know how their machines are being used.

That said, if a company breathes too hard down the necks of their employees, the result is abusive managers, burned out employees, nasty office politics and extremely low productivity, meaning lost profit for the company. It's in a company's own best interests to respect their employees.

Privacy is one of the reasons why I left my last job. Now I have a much better, higher paying job where I don't have to worry about Big Brotherisms.

If privacy is explicitly NOT given...

[abh]

I'm a big fan of privacy, and I believe that everyone should have privacy in most situations. However, if the company has an existing policy that company e-mail is not private and that it is company property, then it is certainly within their realm to scan it. A company is paying for its bandwidth and paying the employees for their time, if an employee is wasting bandwidth and conducting non-work affairs (excuse the pun) with the company's resources, then there is no reason why the company shouldn't be able to take action. The e-mail accounts belong to the company, not the user.

Re:If privacy is explicitly NOT given...

[Woundweavr]

Funny, at my HS they let the administrators search more than the cops are allowed to, including bags, lockers, students, disks, and cars. And this high school is in a relatively crime free suburb, with no serious violence at school in a year, and a drug problem lower than the average high school. But of course, noone has any rights until they become human at 18.

Re:If privacy is explicitly NOT given...

[Quincunx]

When I was in High School, the staff was allowed to search lockers, because the school owned them. HOWEVER, they were not allowed to search backpacks in lockers, because they belong to the student. Yes the company owns the bandwidth, the server, software, but do they actually own a piece of mail? I think if it is sent to the company and not an individual, then yes, otherwise, no. Of course, the employees of the company probably have already signed away their right to privacy in the employee handbook (since it is a large corp). How come we never hear about this stuff with voice mail? And wouldn't it be in the company's best interests to scan for corporate espionage instead of porn? Don't they know they can get their own porn for free elsewhere? ;)

Re:If privacy is explicitly NOT given...

[Stu_28]

Yes the company owns the bandwidth, the server, software, but do they actually own a piece of mail?

Yes, they own the mail. Remember this IS a business we are talking about, not a school. In a business they are paying you to do actual work. Not to read personal e-mail, or view porn (unless of course you work for Playboy, Penthouse, etc., then I guess the latter is part of your job description).

You are given that e-mail account for one specific purpose--to use for business correspondence. Therefore, the e-mail address is NOT your personal property, you didn't pay for it--then you don't own it. It's "on loan" to you until you no longer work there. So, they do have the right to monitor thier own property.

If you are concerned about your privacy, use your personal account from your ISP for personal e-mails(I was getting ready to say, get a Hotmail account--but, after this past week I don't think that would be to private either :).

Re:If privacy is explicitly NOT given...

[kevin805]

I'll go for that, as long as users are told that their email will be scanned. I don't mean "use of company computer may be logged" buried on page 684 of the employee handbook, but email everyone to let them know that effective whenever, their email will be scanned for inappropriate use.

Employees don't have a legal right to privacy (not here at least, and I don't think they should), but they do have an expectation of privacy, and should be informed when their expectations can get them in trouble.

Pick on the big guys

[laktar]

If you started looking through the accounts of upper and middle management, I think that they'd quickly change that policy after the first few little embarrasing secrets were discovered.

Australian kiddie porn laws

[G-funk]

If you find kiddie porn in Australia, you are in violation of the law. If you report it, you are in violation of downloading it, even if you didn't mean to- if you delete it, or clear your cache, you are distroying evidence as well- you can't report seeing kiddie porn anywhere.

But they expect me to call the aba when I find some nasty shit on the internet.

Isn't my government kewl?

You better have a bullet-proof policy IN WRITING

[jacob.woldstad]

If you do this without a WRITTEN policy and WRITTEN authorization, you are asking for a world of trouble. True, it is the office's network and systems. However, somebody gets pissed and finds a good lawyer, and you are unemployable for a long while.

The way my work-place is thinking about handling it is that when a user account is created, the user is given a piece of paper that says something to the effect that "I realize that the computer and computer systems of my place of work are the property of my employer. As such, I agree that my activities on the network and in email, etc, may be monitored for ANY purpose." Then make the user sign this piece of paper. That way, your ass is covered.

In addition, HR should not be the people being concerned about this. If productivity is down, this is not a good way to handle it. If such a search is going to be started, it should started after proof of porn wasting time is brought to the head of the IS department (you or your supervisor I assume).

Just a few thoughts.

A question of taste

[faye]

My Sysadmin at my old job had an interesting "out" when it came to scanning web caches/directories/email for porn. It basically went something like this - he found porn offensive & distastefull (well he said he did anyway), there was nothing in his contract that said he had to subject himself to such distastefull duties, therefore he did not have to search for porn. :-)

witch hunt in the wrong direction!

[Evil+Willow]

The first thing that comes to mind after reading this is that they are searching in the wrong areas. I have friends all over this country from college and the variety of "interesting" things I receive in any given day can be astounding. To put it lightly, a lot of my friends are quite frankly "dirtly little bastards" and they do not always remember where to and where not to send things, especially if I have my bigfoot account pointing to work. What you are going to find is that some people have very little control over what their less than busy friends send them.

The second thing that comes to mind is, what are they really looking for? How many people do you know that actually get porn through their e-mail? Are they perhaps looking for people who may not be too happy at work? I would say that if it was me, I wouldnt want to work at a company that was so interested in whatever drivel I have going out in my personal e-mails, or even for that matter one in which I wasnt allowed to have personal e-mail.

The final thought that comes to mind is that I really gotta get my friends to start using PGP a little more often;-)

Here's what I'd do...

[Garin]

To heck with asking them to distribute a reminder... HR comes to me and says "Scan everything in email for porn." I say, "sure thing, it'll take me a couple of days to get things set up, and then I'll send the results to you". They'll be happy with that reply.

Then the first thing I'd do is email the entire company and tell each and every person the corporate policy on email/porn/etc. I'd also mention offhandedly that "At the request of HR, Computing Services will be conducting a thorough search of all email for porn and other forbidden materials commencing in two days. Any comments or questions may be directed to [insert HR moron's name here]"

After seeing this, all porn will be deleted, and nobody will be surprised by this action. HR might be a little pissed off, but there's nothing they can do about it (I followed orders). If they get mad at me, they end up looking like witchhunters, trying to ambush people. I'd call this the least of the evils.

Respect for privacy is a job requirement.

[Hedonistic+BOFH]

Unless there is a massive loss of productivity, or some untoward activites happening (both of which I doubt are very common), I don't see the harm in some personal use of the network.

Of course, the network is the company's, and most have explicit policies about owning anything and everything on it. So, really, there isn't much choice... scan for porn.

That said... I know that I generally work 10-12 hours a day, as do most people around me. Work is almost every waking hour. (sad, isn't it? ;-p) I would not want to work for a company that did not recognise that with the volume of time being spent at work... some private business can and should be able to occur.

--M. Snelham

Rock - you - hard place

[Phoenix+Rising]

An Ughly(tm) situation, this.

As has been stated, the company does have the right to sift through anything on its system, including e-mail. It also is perfectly legal, as stated, for them to root through your desk every night. Employees will start looking for other jobs if they notice the latter, and I would hope they do the same if they get too much of the former.

At my last job, I had to do research on a guy who was caught browsing porno sites on work time and resources. But it was made a lot easier because he was caught, in person, by his manager (who was female, and offended). I didn't have to sift through his e-mail, only his Web habits (IE keeps such a wonderful history). He'd also torqued me off because he abused the very limited network resources the company had. The policy at my current job is that e-mail is better left untouched, although the company policy does allow for monitoring.

I personally would not sift through everyone's e-mail by hand without a really good reason (preferably signed in triplicate by the requestor, the CIO, the CEO, and the Board). A single user, with good cause, yes. But even then I'd be happier with a nice script searching for keywords. Automated scanning, though I personally think it paranoid and disgusting, is legal (with notice) and does not really constitute "snooping" - after all, you aren't reading the messages (except those that are flagged).

BTW, for the commenter who noted no notice was necessary (according to legal precedent) - the last course material I saw on this said notice was a really good idea at worst.

And, lastly, if you belong to SAGE (the System Administrator's Guild), you should note that the SAGE Code of Ethics describes reading files (including e-mail) as a no-no.

Re:write a script...

[jzawodn]

YOU won't be violating anybody's privacy (your script will, but no human eye sees the non-guilty mail) except for those who are violating company policy

Are you serious?

Creating such a script and setting up a cron entry to run it is no "better" than just doing it manually. I don't think that qualifies as really helping the person who posed the question. He'd rather not have to get involved at all.

But I do have to agree with you in one way: Perl is cool.

Jeremy

Re:Company Resources, so...

[jonathanclark]

I agree with this for the most part. There 18 billion free web based email accounts you can get for your personal mail, so why not seperate your work email from your personal email?

One problem with this is that it is inconvenient to have to check mail in multiple place. Also, If you work 16hrs a day, you can't really seperate your work life from your personal life... they blur together. Your friends are your workmates and vice versa. An email might contain both personal information and biz activity.

On other thing.. Biz cards are often the most convient way to give new people your email address, but few people have "personal" biz cards. (Perhaps they should, you can buy 2000 for around $80).

If people used their biz email account only for business then there would be no conflict scanning their account. But it's always personal information that the company is interested in. (who's thinking of quiting, sueing, etc).

Get the hell over it

[musicmaker]

Geez... privacy is one thing, but disregarding the value of anonymity! please... save the whinning - Anonymous Coward. It's not like you even have to list your valid email addy, and besides, you think they don't have your IP?

Get over it. Anonymity is dead. Privacy is on the way out, and the US is the no.1 country for bad privacy laws.

What I did...

[xenofile]

Do a covert pre-scan, show flagged users how to use agents and rules to bounce possible incoming porn (& whatever else) off to their private e-boxes (give 'em copious examples).

Let 'em know your predicament about enforcing fascist company policy, give 'em an official "scan for real" date and only turn in those chumps foolish enough to not avail themselves of your kind offer. In all probability these scofflaws are rather incompetent in their jobs anyway...

Most folk in my company were unwitting spam victims and wanted the agents to just /dev/null the shit (management finally grokked the concept of "spam" (D'oh!) and dropped the matter completely, thank Ghod!)

[as a hypothetical aside]: Why would want to receive porn at work anyway? It's not like you can JO over it in your cubicle or something... Sheesh, do like I do... keep your porn safe and secure on your personal laptop (& copy to CD-ROM as warranted)

Re:What I did...

[QuantumG]

bah.. I'm here every day exploiting my facilities to read slashdot.. so I don't have a problem with you exploiting the facilities to read anything else you want to read. There is no moral right or wrong, your option to read pron and my option to read slashdot are equally valid (actually I access pron from work :) It gets real boring here sometimes and I just don't feel intellectual sometimes).

I wouldnt.

[Znork]

First of all, who is going to watch the porn? There isnt any sure way of scanning for specific kinds of images, which means someone is going to have to check it. I hardly think that your job description includes a requirement that you watch material that you may find disturbing. Or maybe the HR department is too lazy to get their own porn and want you to collect it for them?

Waste of company resources isnt a good reason either. Autoscan and delete any MS Word attachments would probably save more wasted resources in the average company.

Frankly, you can get a job at a better place. There are plenty of companies that value ethics and a respect for privacy. A sysadmin that has no compunctions about reading other peoples mail is someone who will just as well read the bosses mail and find out how to use it for his own gain (stock tips?). The only legit reason for checking mail is when someone is under suspicion of a crime, and in that case Id just check the logs to trace the offending mails, and just in the worst case actually scan the mail boxes.

A solution..

[Restil]

Ok. Personal email on the company network is not private. You will now be required to scan all email boxes to ensure that pornography isn't present. So the first thing you should do is to send a general notice to EVERYONE in the company informing them of the scanning policy so nobody gets caught offguard. That way, if there IS any porn to be found, it can be eliminated before anyone gets around to finding it.

This solves 2 problems. 1 - nobody will be "wasting time" by looking at porn and 2 - you won't have to come across as the bad guy.
The witch hunt will prove to be unsuccessful and a waste of YOUR time which could be better spent elsewhere.

Just a thought.

-Restil

We're making it illegal

[Ryan+Taylor]

at least in California. I heard this morning on NPR that a bill passed senate making it illegal for employers in California to read employees email. It passed without opposition. After noticing this ask slashdot question, I tried to find more details pretaining to the bill and have been unable to do so... I would hence take this information with a grain of salt. FYI, enough employees have sued over these kinds of privacy issues to scare MY company into making a policy of email privacy. We're even a little touchy about proxy statistics.

Anyway, hope the information comes in handy. If anyone knows where I can get information about this bill, I'd love to hear from you.

Ryan Taylor

Applications Developer, Schulze Mfg.

edit /etc/motd

[x0]

That and send _everyone_ an e-mail. IANAL, but all of the places I have worked have had me sign a waiver stating that all internal e-mail was the property of the company. Somwhere in that waiver it also states that all e-mail could be audited at any time. That said, I am not sure if it is implied that _not_ signing such a statement ensures that e-mail is private.

If HRs goal is to 'catch' someone with proscribed items, perhaps they will be annoyed that you choose to warn the lusers beforehand. OTOH, if the goal is to reduce/eliminate a problem, then everyone should be happy.

Serves them right...

[MrCreosote]

Anyone dumb enough to rely on email to get porn deserves to get caught.

Anyone actively getting porn off the internet is downloading it from newsgroups, not via email.

Do it ...

[slickwillie]

and send me the good stuff.

Re:Phone calls vs. E-mail

[Garpenlov]

Phone calls cannot be monitored because the phone line is considered a "common carrier" and thus not the property of the company.

Wrong!

At many places (say, call centers), monitoring phone calls is part of the normal process of evaluating employee performance. If you're foolish enough to make a personal call from the same phone that you take business calls on, and get monitored . . . oh well. Not only that, but all of your calls are recorded. The recorder runs 24x7 and will pick up noise from the room even when the phone isn't off-hook. Of course, I believe legally you have to announce this to callers (i.e. "To maintain service quality, this call may be recorded").

Re: Field Report (Company Undisclosed)

[BaronCarlos]

From this Field reporter's personal experience, all employees had to sign an agreement that ALL calls, voice mail, E-mail, Webbrowsing, etc, would be monitored. (And this is typical to most networked corporations and companies). I have a feeling that your organization has the same policy.

Carlosian Advice: Follow your orders, your concerns for privacy do not apply here, since there is no privacy that you possess to be concerned with.

And typically, anyone who is foolish enough to use a company server (or any server for that matter) to relay unencripted private correspondance is simply tempting fate, and deserves what is comming to them.

*Carlos: Exit Stage Right*

"Geeks, Where would you be without them?"

Only checking E-mail?

[Grand+Facade]

That to me seems like a genuine witch hunt, I can't see how someone sending/recieving
e-mail can be construed as non-productive. Who sends porn via e-mail?
Maybe some nasty jokes..... If their motivation is a productivity issue,
they should be blocking http access to or monitoring access and content viewed.
My guess would be that more time is wasted doing day trading and reading slashdot than grabbing p0rn.
And according to the directive from HR these activities can be interpreted as allowed????
--

Why you just not do it, and say you did.

[musique]

Hey, who's to know. It is a waste of time to do this anyway. If someone was sending/receiving porn, it would often be caught by other means--peering eyes or noticing that some people have a large e-mail file/DB, but few messages.

We caught one guy when we were checking our web logs to see what was taking up so much of our pathetic bandwith. The guy was demoted.

E-mail is different from a phone. For one thing, you can't send pictures over the phone. Also, all e-mail is routed through public networks. Sysadmins at many points have access to these e-mails. E-mail is far from private at any level. If users want privacy with their e-mail, they should use their personal accounts on their own time.

Who owns your thoughts?

[FunkyRat]

I wholly agree that the company owns the computers, but what you write belongs expressly to you. I know that in the US the laws don't reflect this opinion, but it is up to everyone to put a stop to invasions of privacy.

Knowing to much...

[StormC]

From my point of view, scanning email does represent in some what more of a problem... but look at it from the "bright" side, you don't read the proxy log to see wich WEB site where visited by whom etc.

Where I work (an High School) I have to monitor "Students" web trafic to ensure that there is "no" porn site visited and other "not allowed" sites. The only thing is that I don't only get to read the student trafic but also the "Staff" trafic forcing me to learn TO MUCH about some people by the web sites they visit when they think nobody is looking...

A good solution I found to that (and a good argument to prevent the "scanning") is to plead to my superiors that knowing "so much" about my coworkers would affect moral and relationship and would be a bad thing for everyone. The solution I proposed is to gather each log in a DATABASE and Run a small "home made" search engine to verify suspission on one individual.

Hope you could understand my poor: 3:30am english.

Make your mgmt. do the upfront work first

[JJSway]

As posted above, have your mgmt/HR dept. come up with a definition of what they mean by porn, and make the scanning policy public--including what will happen to people caught violating it. Whether the company is right or not, anyone with the moxy to take them to court will have an easier time doing it if they don't do this up front.

Then ask mgmt just how they expect you to scan for porn. Are they looking for curse words in the subject or text? If so, is s*ck one? Are they looking for picture attachments--how do you scan for that? Are they looking for URLs to porn sites? (Do you have a list of all porn sites on the web--you really should publish that --> so everyone knows NOT to go there ;-)

When mgmt comes up with these plans to "increase productivity", I "respectfully recommend" that they work their own derrieres (is this porny?) off figuring out how to implement them.

I also wonder how the people that come up with these plans have so little imagination that they can't figure out that as much, if not more, time will be wasted trying to come up with ways to get around the ban, as was spent by a few folks who just needed a little stress relief. I mean, what proof do they have that the activity exists to the extent that it warrants spending a sysadmin's time playing junior vice squad?

Encrypt your mail

[eey0re]

Why not use PGP et al and encrypt those 'sensitive, job-endandering' emails. Start giving out your public key to all your mates, encourage them to send you their's. And the suits can scan all they like....
Its a hassle, but its peace of mind.

Re:No, that's a bad attitude

[ReadParse]

Oh, I forgot to mention the reason I was going to post in the first place: I was going to say "Warn them first", which is how my posting ended up in this thread. But I got off track when I saw the posting that, when paraphrased, goes something like this: "they don't have the right to search their propery that we're using." I felt the urgent need to respond to that and forgot what I had set out do do... my fault.

I think "warn them first" is the most important message. We all use company software, hardware and or e-mail for personal matters, and my policy has always been to warn first for things like porn searches and so forth. It gets the stuff cleaned up and avoids any undue embarassment, or an otherwise-productive person from getting fired for something stupid.

By the way, I still think the handkerchief analogy was dead-on :)

RP

Re:Fair Warning

[ReadParse]

> The fact that your company can use the excuse
> that because they paid for the bandwidth
> they own the mail is scary.

It's fair and it's right. Company e-mail is company e-mail. Got personal stuff? Send it through your own.

> If my company buys me a notebook and I write
> something offensive in it, can I be fired
> for it?

If I borrow your handkerchief and crap on it, you'll probably want to not let me use your handkerchief anymore.

> Do they have the right to search a bag if
> they buy me one?

Of course they do. It's theirs. Sheesh. You want something of your *own*? Quit using the company's stuff.

That's my take.
RP

MailandNews.com

[edheil]

I'm kind of a connoisseur of free email sites. M&N.com does so many cool things, like the SSL layer, no tags on your email, full POP access... But the web interface is pretty slow and clunky, and there are unexpected holes in the functionality (you shouldn't have to wait five seconds for a new page to show up so you can select a name out of your address book, for example...) But there is no perfect free email address... :)

Re:Scan HR's mailboxes

[edheil]

Great idea! Not the part about subscribing them to porn lists. That's not playing fair. But you may be able to win while playing fair. Hit the people in authority first. Hit the big time suits; hit the HR people who started the witch hunt.

It's theres. They own it.

[cmjaw]

Though I am on the side of privacy I think that when you sign on to a company and you read the rules and the contract and put your signature on it that you wave your rights in the workplace. Everything is owned by the company, every e-mail, every v-mail, every cached little file on my machine and in my network space. They have made it clear that they own and can do whatever they want including going through my files looking for porn or whatever makes them happy. Do I agree with this? Well, I signed the contract. Would I do it if I were the admin? If requested to, yes.

This shouldn't even come up. Why the hell is anyone downloading porn at work anyway? If people are dumb enough to be fucking around at work, then they are taking the risk and deserve what they get if they get caught.

Re:privacy advocacy

[hndrcks]

I can't let this go without commenting - drug tests examine your behavior both on and off the job, while the mail scan is only investigating activity on the job. There's a big difference as far as privacy rights are concerned. On to the next point -

There's nothing "gleeful" about a company protecting itself from activities that could affect it financially, be it drug-addled delivery truck drivers or weirdos downloading and posting kiddie porn. It is a fiduciary responsibility - officers of a company are required to protect the assets of the firm, including "sue-able" assets, and the auditors would find them legally negligent if they didn't do this!

Re:The law is irrelevant here

[twinpot]

Well, we are assuming that this person is in the US. THe law varies from country to country.

I was asked many years ago by a customer to install monitoring software to check the work rate of secretaries. I POLITELY said that I felt uncomfortable about that and requested that if they wished to have that software installed, then they should contact my manager. If necessary someone else could come and install it. As long as you are polite, and reasoned in your arguments, most employers should respect this. If not, then you've got a good reason to find something else.

Note that in some countries this is illegal unless the employees are officially notified. There can be some fairly restrictive rules on how and when this information can subsequently be used.

The Real Problem

[TheLionMan]

As it seems, the problem itself is not just with the monitoring but that the HR department is forcing a policy on everybody. From research I have read, productivity in the office increases when the employees are able to make the policy of monitoring. If the employees had more input, I don't think this would be as major of a philosophical issue as it is.

The other problem is that too many companies have adopted a policy of monitor everything with no real reason to. I could understand starting to monitor transfers if there is a good reason to suspect something illegal going on. There is no way I would want computers I owned being used for illegal things. However, it seems a lot of companies just want to monitor everything first with no reason, and then make up a reason later. This is not just with computers but also with phone lines, cameras, etc. Of course this has resulted in several lawsuits against companies. The biggest problem it that is seriously demoralizes the employees of the company who soon no longer want to work there or just hate working there. The result is that productivity goes down seriously.

With the way a lot of companies are run anyways, it really doesn't matter much since the people in charge are too stupid to figure these problems out and why they are occuring.

Just my opinion.

Privacy @ hotmail... :-D

[zanONi]

This is not private at all. Anyone can have access to your account !
Even (more) secured web based sites aren't:
Data can be retrieved via the proxy, if your company use one.

I consider your post has an false advertisement for one of your company product: hotmail.

Re:Privacy @ hotmail... :-D

[TheHornedOne]

In theory, HTTP's caching scheme allows the server to specify no caching at any proxy. Unfortunately, this is HTTP 1.1 and not 1.0 and so it's a crap shoot whether your private email service would offer that. It's going to tend to increase the load on their servers so they probably wouldn't. I was somewhat surprised to find that SNhoTMaiL actually gave you the chance to turn off caching but after I played around with it I found that it didn't really work well.

No Brainer

[GMontag]

Scan it all. The users do not own any portion of that network, the firm does, to include any Co. owned machines "at home".
Just don't scan privately owned equipment.

Mongo Not Know -- Mongo Just Pawn In Game Of Life

[Steve+B]

Well, if they're telling you to do this, make them tell you exactly what they want done:

1. Require the legal department to sign off on the policy (for all jurisdictions in which your company has a presence).

2. Set specific standards for proving that any e-mail pr0n was solicited by the recipient, and not spam, maliciously planted, etc. Depending on just how much you don't want to do this, your definition of the word "specific" can be just as flexible as Bill Clinton's definition of the word "is".

3. Set specific standards for levels of accidental access to typo-URL pr0n sites. See above re the word "specific".

4. For each amendment somebody makes at steps 2-3, repeat step 1.

If a policy ever does emerge from the black hole that is a legal department (I thought it was common knowledge that Legal is where you sent bad ideas to die -- I remember seeing a Dilbert strip about this from before the boss had pointy hair), there is always malicious compliance.
/.

What about all the XXX spam?

[daemous]

Are y'all assuming that people f*'ng sign up for XXX spam? I'd rather break a toe. I filter it, but some sneaks through, 'cause I don't want to be too restrictive.

But I imagine a sniffer could catch the stuff before my filter weeds it.

Not to sound too anti-sexed, but I used to predict how lame a day was going to be by counting the number of Hot/Teen/Live/XXX/Sex spams arrived overnight.

Re:What you should be looking for...

[Yoo+Chung]

It's not a time waster, but it can be a big waste of disk space. Once, on a machine that I began to administrate, I discovered that almost all of the disk space was being devoted to porn.

I don't care if anyone looks at porn or not, but I do have a large issue with people who uses up so much shared resources on such a non-essential item.

within their rights..

[Josh+Picker]

i don't think that the company needs a policy expressly stating that all email is their property, it should be a given. obviously, there should be a code of conduct that office workers are made to understand that clearly states that there should be no pornography passed around the office, be it in email or on paper.

however, this company is within every right to read their employees email. it is THEIR company, not yours. if you don't like it, you don't have to work there. if you find that highly objectionable, then you really should talk to your companies higher-ups about it, and attempt to persude them to change their policy. if they don't and you are still strongly opposed, i suggest you get a job elsewhere.

It is the company's property but...

[infamous]

The company owns all the equipment, and has the absolute right to search the mail. They provide your computer and email as a tool to do your job. You can't take a company car for a weekend in Vegas, and you can't use your email for porn, if the company doesn't want you to.

Having said that, it's really a matter of whether or not you want to work in a culture that goes on witch hunts like that. A culture like that is bound to be repressive in other ways also (I bet you wear a tie every day, even if you are going to be crawling on (or under) the floor!)

I have worked in that type of environment before, and would never go back. I now work at a company that doesn't give a damn what you look like, or what you do in your spare time, as long as you get your job done. I'm happier now than I've ever been.

Think about how many hours you spend working every day. Do you really want that kind of weight on your shoulders? I certainly don't.

Re:Are we moral sensors now?

[hunterotd]

Well, I could defend him by saying that, when refering to someone of unknown sex, it is considered correct to use the pronoun "he", "his", or "him".

However, I would say that the writer probably was thinking of a male, because most sexual offenders are male, as you pointed out. This is a blinder type vision, and could turn around and bite some of us in the butt.

I think it's good that you pointed this out to people, because just because your neighbor is a lady, doesn't mean that she doesn't want to do things to your children.

It ain't worth your job

[Owen+Lynn]

1.) It's a large bureaucratic company

2.) It's HR, the heart of the bureaucracy.

I would find a smaller, less bureaucratic company to work at. Generally, the smart people of the world aren't working at large companies anymore. If you're working at a large company, and you can't get hired by a small startup, you're either 1.) inexperienced, in which case your situation is temporary, or 2.) incredibly lame.

If you are (1), then do the bare minimum to satisfy HR's requirements. Give them a few token heads on a silver platter, keep your head down, and *get* *out*. If you are (2), just use your inherent incompentence to keep everyone's privacy safe.

scan, and say you did.

[echo-e]

it seems that in a situation like this, you should make every effort to make everybody happy.

do the scan. make the reports....and make the suits happy.

but before that, send an email to everybody reminding them (in a particularly urgent way) that all email is company property, that transfering porn may get them fired, and than that you have been given the right to scan email for such material (and that you may excercise that right)

wait a few days, then do the scan. if anybody failed to heed your warning, then its their own fault.


-james

"He was a wise man who invented God." -Plato

Re:scan, and say you did.

[echo-e]

well, to begin with, i said a few days (rather than ten minutes) for a reason...esp for those people on sick leave.

it is my opinion that singling out any one person...asshole or not...drops you down to the status of asshole. maybe i'm a little too "peace and equality for everyone", but it is my feeling that singling out anybody among a group of offenders is unfair. even if the person singled out deserves it. trying to be fair and trying to do what is right can often come into conflict...thats why i feel that giving a warning is the safest bet.

it seems to be an unsaid law of nature that you cant please everybody...but you can try!

do the scan -- make yer boss happy.
send out warnings -- to be fair to your coworkers.
and if there's an offender on vacation...well, you cant please everybody...or maybe these are the people who's offenses should be overlooked.

if you dont do the scan, your boss will lose trust in you. if you do the scan and nail the offenders, your coworders will lose trust in you (at least in their mind.) Doing the "right" thing is never a clear-cut decision. the right thing always comes down to ballancing the good and the bad -- doing your best to please everybody.

and remember, if you do the scan without warning, you probably wont please your coworkers or your self. consider who is involved, and determine what you can do that will have the greatest benefit or "fairness" for everbody....but also remember, nothing is perfect. if you do your best to help everybody, then you will have the least to feel bad about in the end.


-james

"Waiting is." -V.M.S.

HOWTO-Fix-HR-Exec-Mail-Snoopers

[fastang]

Pure and simple, do what your told. BUT, post some messages to select newsgroups, using those who asked you to snoop. Results, unsolicited pornographic email. Personally I detest unsolicited email; but everything can be a tool in a fashion. BTW, yes it will work for you, it has worked for me (in a fairly large company I was on contract to), and it will work for us again.

Re:You don't have the privacy right (nor should yo

[weave]

At IBM, they monitor everything you get, every site you visit and if you go porn surfing then they fire you.

What if you make a typo and end up at some porn palace by mistake, and then as you keep hitting the back button and close box, more port sites keep popping up?

There's a lot of pr0n sites that get close to a real site's spelling just to trick you. Some I've stumbled into include icrosoft.com and licos.com

Big brother

[Hard_Code]

Many posts have said that it is well within companies' legal rights to put forth a policy like this as long as no prior guarantee to privacy was ever made (I don't think this is ever the case). I do not look at porn at work (although I usually have a slashdot window opn ;), however, as an employee, I would really feel paranoid if I knew somebody was watching all traffice that passed through my machine. If a policy like this was set in place I would probably start looking for another job. Imagine if you had "paper" job, and there was always someone standing next to your desk, or a camera over you, watching every single thing you do, making sure you didn't abuse company ledger and take company stationary and writing utensils. Sure, it would be illegal to, and you probably don't do it anyway, but it would still probably reduce your productivity if not job satisfaction. At a job I like to think that I'm working, not the company working me.

Re:BOFH strikes again

[QuantumG]

oh.. and my friend Dave has another question for you: You mean that you have been in a position where you can scan for pron and you havn't done it yet? You really are one of those "good admins" that we hear about. How in the world do you keep your (l)users in line? Example:

"Todd, I can't seem to access my email"
"Yer, that would probably be because of the size of your mailbox due to all that pron you get every day.. I'd say you just got an extra large amount of it today and the email program you use, Netscape Communicator 4.0, is taking a long time to download it all. Just go back to your office and wait"
"Yes, sir." - the executive head of human resources walks away.

another example:

"Todd, we've noticed that you have installed a quake server and have been actively encouraging the marketing department to 'get their arses kicked' by you when they should be working. Can you take this off the server please"
"No, we're not going to be doing that"
"Oh.. well I'm afraid I'm gunna have to ask you to."
"OK.. well I wasn't doing anything important anyways, just leafing through your email to your friend in New York.. ya know, the one where you explain to him how you manage to get your pron subscriptions not to show up on you and your wife's joint credit card..."
"Well I guess they can still play on their lunch break"
"Yes, I guess they can"

Todd is a figment of my imagination.

Re:write a script...

[Dwonis]

What happens to the guy who's wife emails him about the great time she is going to give him tonight and it ends up in some manager's (who happens to be very christian) email box? How will you feel when that manager takes it upon himself to cause as much trouble for the "Godless heathen" as possible?

Then you're an idiot to expect anyemail to be private. You wouldn't send credit card information over email, so why would you send anything else that is private? (If you knew how they worked, you would also not say private things on a cellular phone).

Also, although I've seen this a lot on Slashdot, it is my belief that you should not eliminate something good, just because it could evolve into something bad. Think about banning debuggers just because they could be used to crack some copy protection scheme, or (ala UCITA) allow you to reverse-engineer software.

I have an expectation of privacy when I encrypt something, or when I use a land phone line. I do not have an expectation of privacy when I send something in cleartext over the internet, or when I say something over a cellular phone.

It's quite simple.
--------
"I already have all the latest software."

Re:Are we moral sensors now?

[Dwonis]

Why is there always someone who will bring this up?

I personally refuse to write "him/her" ever. Why? Because it restricts language. Assume that 1000 years from now, we encounter an alien life form, having 12 sexes. Are we going to list them all any time we want to refer to any of them? (him/her/it/bhir/jior/shior/ghet/etc...)

No, we won't, we'll just use "him".
--------
"I already have all the latest software."

Re:You don't have the privacy right (nor should yo

[Dwonis]

You can tell by reading the logs whether or not someone accidentally got in. (following 5 links deep is a sure giveaway, not to mention having 20 porn hits in 2 weeks)
--------
"I already have all the latest software."

Yep

[Dwonis]

By the way, I wonder how much space it takes on Slashdot's server to store a 3 word comment saying:

"Yes, I agree."

--------
"I already have all the latest software."

Re:write a script...

[Dwonis]

I believe "expectation of privacy" is a legal term. You have an expectation of privacy in the washroom, although someone may install a camera there.
--------
"I already have all the latest software."

You don't need their stinking job.

[jcr]

Dude,

If you're a good sysadmin, and you're reason for leaving this job is that you weren't willing to help these lusers pull this big-brother shit on their employees, then any decent ISP would take you in a hearbeat.

A good sysadmin is *hard* to find. Let them find that out. Also, if you tell them no, they may get a clue that it's not OK to do.

-jcr

Re:You don't have the privacy right (nor should yo

[BenLutgens]

You're being paid to work and be productive, not punch bobo, however if thiers nothing to do.... (I spend some time reading /. at wotk) But a policy is a policy. i.e. "Any caught using company network to access pornography will be shot on site" I say scan away.

Why They do this

[Albatross]

The bigger issue is this - what exactly does a company achieve by resorting to petty monitoring, other than ruining its own culture and terrifying its employees?

The company's goal is to reduce the risk of lawsuits, plain and simple. We've all laughed at the stories of ridiculous sexual harrasment lawsuits, but for a large company it is a real threat that is always expensive, whether the allegations are justified or not.

If a company were worried about bandwidth, it would institute a limit on attachment size or something similar. That they are concentrating on porn shows they are more concerned with harrasment suits. It is easy to say "But I'm the only one seeing this," but what if a co-worker walks up behind you without you knowing? He or she could allege harrasment, which would cost at least in the tens of thousands of dollars just to defend if it went to court. The problem with the current harrasment laws is that the victim defines what is harrasment. Whatever I say is offensive in my own mind is harrasment.

It is against these kinds of lawsuits that the poster's company wants to defend itself. I've never met a manager that wanted to find employee's porn just for fun. They're just trying to protect the company from lawsuits. (BTW, Playboys in your drawer or dot-matrix printouts can be harrasment if someone that happens to see them is offended. I worked for a publishing company where the boss found, and immediately destroyed, an employees stash of mags.) What we don't know, and HR would never tell, is what the events are that precipitated this move. Maybe it's just technophobia, or maybe there have been incidents the poster is not aware of. Given the number of confessions in this forum, I wouldn't be surprised if it were the latter.

Re:Why They do this

[Kintanon]

but what if a co-worker walks up behind you without you knowing? He or she could allege harrasment, which would cost at least in the tens of thousands of dollars just to defend if it went to court. The problem with the current harrasment laws is that the victim defines what is harrasment. Whatever I say is offensive in my own mind is harrasment.

I think the biggest problems is that someone went and redefined 'Harassed' to mean 'Offended'. Harrasment is when you continually irritate, molest, annoy, pester, or otherwise interfere with someone. Offending is when someone takes a moral objection to something you have done.
If you are Harassing someone it would mean you were:
A. E-mailing them pornography against their will, constantly.
B. Physically molesting them in some fashion.
C. Verbally molesting them in some fashion.

Offeding someone can be done by:
A. Performing any kind of bodily function in public, nose picking, butt scratching, farting, belching, etc...
B. Having a religious symbol placed somewhere in your area.
C. Having a risque poster somewhere in your area.
D. An endless list of stupid things depending on who you are talking about.

Someone can be fired for Harassing someone else, they can be prosectued for it too.
Someone can NOT be fired for Offending someone else unless it can be shown that the offended person was impaired in their ability to perform their job. And even then it's difficult to prove something like that.

If I'm looking at porn in my cube and some female employee happens to see it, I might get fired for wasting company resources, but there can't be a lawsuit for harassment as nothing was ever directed against said female employee.
If I was e-mailing porn around the office, this would be harassment, if I was putting up pornographic posters in public places, this would be harassment. But my work area is just that, MY work area. It is difficult to sue a company for the actions of one of its employees if that employee was acting on his/her own initiative and the employees actions did not target you specifically.

In short, any idiot who tries to sue a company for harassment by one of their employees because he/she saw some porn on the employees monitor should be slapped upside the head and told to get a life.

Kintanon

Re:Fighting the system (Add your tips here)

[TerryMathews]

Be very, very careful with telnet. Unless you know what you're doing, it is all plain-text. Capturing packets from a telnet connection on your network is very simple, and they are in a nearly human-readable form immediately. You're best bet would be to setup a web proxy on a server you are familiar with (maybe a comp at home). Config the proxy to run through Apache and make it https://. Then you can use hotmail and read the web, and all a packet scanner would get out of it is complete garbage.

Not allowed here...

[psg]

Maybe not of interest to most of you, but where I come from (Norway), it's illegal to scan traffic/mail whatever, even if it belongs to the company, as long as there is no major security hazard/risk suspected.

Privacy is respected.

Re:Not allowed here...

[stanlee]

From reading our constitution and bill of rights I would say it is illegal in this country too...

Then again, since when do we do what those tired old rags say.

I agree with some monitoring of employees

[Shadok8]

I spent a couple of years as a network admin at a company with about 500 employees. Around 200 hundred employees did order entry in a call center.

This company wanted no monitoring, limitations, or lockdown on desktop PCs. It wasn't surprising that the company was not profitable. This was a very costly policy.

Common/ Constant Problems encountered:
- Employees surfing for porn for hours during 9-5. This happened all the time. The proxy logs showed who was most active. Shouldn't the company know if employees are not working? If an employee was sitting around reading playboy for 2-3 hours everyday shouldn't they be counseled and then fired if they do not start doing their job
- Employees surfing entertainment sites. I could walk around and usually see at least 20 employees in the call center glued to ESPN's home page. Considering it was a computer company was that really right? If an employee sat around reading sports illustrated all day, that's a problem. If an employee is at ESPN all day, that is a problem - and hard to detect.
- If it were your company would you be happy knowing that employees are getting entertained instead of working?
- Email - used to pass porn, games, Word macro viruses that blew out most of a call center (I had already gone). The system's in the call center had to run some very strange, very problematic third party, non-commercial apps. It gets really old, really fast when employees keep crashing their systems because of some strange program their buddy emailed them. On one occasion I went through and traced through a software trading ring that existed in the call center - it usually took about 2 days for a program to hit 80% of the call center.
- The female employees do NOT like seeing hard core porn on their coworkers screens. This happened a lot, daily in some instances.

Because there were no clear rules, a very ugly form of favoritism evolved in the call center. If the managers liked an employee (Or often if they found a female employee attractive) the employee could get away with a anything. They easily fired many hard working, but unpopular employees.

Eventually the call center deployed a PC and phone call monitoring system. At any time a manager could be listening to the employees phone and viewing their PC screen - and recording everything. Call Center's love that technology, personally I find it TOTALLY offensive. I think it has little value and simply indicates incompetent management. A good management team would never use or need such methods.

There needs to be a balance. A company needs to manage operational costs, keep productivity high, and respect employees. If employees are not respected, the most valuable will depart.

A company needs to clearly and public state what is acceptable. Any "measures taken" should be kept to a minimum and made public knowledge - Big Brother works in secret, a company working to contain costs should not. Employees need to be trusted and respected. At the same time though, some measures have to be taken to keep costs down. At the company I was at, there were a lot of young people that had not worked very long. Some restraint was needed. I saw what happened with no restraint and it was ridiculous. Some IS employees started referring to the call center as "High School" - it was all about being popular and getting away with as much as possible. I am serious - it really was like this.

I think acceptable measures are locking down desktops completely and blocking access to non-work related web sites (that's why its called work!). Fire employees that get caught a third time viewing porn. Fire them because they are not doing their job - don't even bring up the porn issue.

I like locking down and blocking. It sets limits but does not invade privacy, it is not watching over anyone's shoulder. One alternative is have an open environment, which rarely works in the real world where there are hundreds or thousands of users. Another alternative is monitoring, and that is to degrading and disrespectful.

Please don't flame me. I know how popular my opinion isn't. I'm just relating my experience and if you know of a better way, I honestly would like to know.

Re:I sorta agree with Cliff

[radja]

If I choose to walk to the a gas station on my lunchbreak and buy a stack of girly mags, that happens to be my business, and my business only. nothing anyone can do about it. (assuming ofcourse that I'm buying legal porn, not the "12yr old and 3 sheep!"-kind.. which I highly doubt any gasstation has in stock..)

Re:write a script...

[theonetruekeebler]

"I didn't kill that guy--a bullet did! All I did was point my hand at him and twitch my finger. It's a bullet that did all the killing, not me."

--

Re:I sorta agree with Cliff

[jflynn]

"Your at work, to work. "

It's nice to see the Puritan ethic still alive and well :). How 'bout those people working 12 hours and getting paid for 8? They supposed to concentrate on work and nothing but work all 12 hours? Thanks to unions most folks have lunch and coffee breaks now, at least.

Separate the moral issue from the rest. If someone isn't producing, warn them, then fire them. Don't worry about analyzing why unless the employee asks for help. Similarly for drugs, test functionality, not blood or urine.

The liability issue is one I can't see an easy solution for. I think it arises from our basically broken culture -- sexual harassment seems to be a combination of asshole behavior with extreme sensitivity. When a company engages in a culture of sexual favors for promotion they deserve being sued. I can't see their liability when an employee misbehaves unless they refuse to discipline them, or if repeated, fire them.

Possession of illegal information being a crime (say what!?), the normal standards should apply. Presumption of innocence, requirements for probable cause for search. Corporate workplaces define the 'laws' we live most intimately with, what good are general civil rights if we surrender our civil rights there? Can't you imagine a future where corporations provide very nice housing for their employees and monitor everyone's internet connection 24/7? Don't worry, you'll still be able to choose *which* corporation monitors you!

Jim

Re:Phone calls vs. E-mail

[Lucius+Lucanius]

Actually, I think the key word is 'recording', not 'monitoring'.

Thanks to Linda Tripp, I suppose everyone knows by now that state laws determine whether you can legally record a conversation.

"A one party state means one party to the telephone conversation has to have knowledge and give consent. In a two party state, all parties must have knowledge and give consent. It would appear that, if a telephone conversation crossed state lines, federal law would have jurisdiction. "

I found this URL to be pretty informative. Look up the place you live in. Oddly, most seem to be one party states.

http://www.pimall.com/nais/n.tel.tape.law.html

L.

Re:Fighting the system (Add your tips here)

[Lucius+Lucanius]

"Be very, very careful with telnet. Unless you know what you're doing, it is all plain-text. Capturing packets from a telnet connection on your network is very simple.."

Agreed. However, I think it's extremely unlikely that any company would bother to monitor telnet. In most IT depts., telnet is such an arcane thing that almost nobody uses it, and I'm pretty sure most HR people are unaware of it (I'm talking of regular corporations here, not hardcore geek shops, so don't get all agitated when I say almost nobody uses telnet).

Unless, of course, some weasel sysadmin reading this goes on a telnet sniffing spree. Oh, what have I done?

L.

Because it's entertaining

[Lucius+Lucanius]

:)

Re:Phone calls vs. E-mail

[Our+Man+In+Redmond]

I was once told that when Microsoft was first connected to the Internet, the guys in Network Ops watched with amusement as the caches began filling up with hits from porn sites. Fortunately they didn't particularly care, and apparently still don't. I mean c'mon, if they were paying attention they might notice I was posting to Slashdot, and then how would I report in?

Excuse me, there's somebody at my office door.
--

Re:Send out a reminder first.

[lowflying1]

Moderate this up.

The written policy appears to have been different than the executed policy. Individuals should be given warning of the sea change. At the very least, asking for this buys you time.

Everyone seems to be answering the wrong Q

[unAnonymous+unCoward]

All of the posts I have read are missing the point. This guy is doesn't want to be a voyeur, he doesn't want to be a babysitter, he doesn't want to be a tattletale. He doesn't want to be any part of any implementation of a privacy policy. His question is: can my employer *force* me to do this distasteful, snoopy job?

The answer to that is: yes. If your goal is to keep the job no matter what, and they are really insistant and will not let you back out, then you will have to leave or you will have to get fired. Most states have employment-at-will, which means that you can be fired anytime, for any reason or for no reason, and they are not required to tell you what the reason is.

What would I do? Well, first, I am such a straight-laced cuss it may be that no one would even dream of putting that kind of request to me. But if they did, I would firmly state, immediately, that I would not do that, and they could do whatever they want, but it won't get done, get someone else or fire me or whatever they want to do. Basically, I would let them know in No Uncertain Terms what my position is. Then I would leave it up to them.

solve the problem the easy way

[frobnoid]

Make a hotmail account and spam the suits with porn advertisements. Turn up evidence the CEO, CFO or other high ranking officials have been receiving these porn spams. I'm sure the problem will dissappear then.

Re:Corporate vs Individual Rights

[Stormthirst]

It depends where the original poster was from. In the UK, my lawyer friend tells me that it is perfectly legal for someone like a sysadmin to read email and documents if they do not have to alter the system (crack it, for example) in order to gain access. The same goes for telephone taps and the like.

I have no idea what US law is like, they are a little more concerned with their rights, though it is changing over here.

Re:write a script...

[UnknownSoldier]

> You have got to be kidding! What happens to the guy who's wife emails him about the great time she is going to give him tonight and it ends up in some manager's email box?

Get the husband and wife to use icq. ;-)
Then delete your message history at the end of each day.

Seems logical that if you have email access, then you have icq access.

Re:Don't do it - I wouldn't.

[Paranoid+Diatribe]

I was stuck in an odd position dealing with this sort of thing.

My advice is for this kind of think, try to work the "word of the "law" to your advantage. Poorly-written company handbooks can sometimes be your friend. :)

I was a sysadmin for a small (50 or so employees) company. It was pretty much a grass-roots organization. I think we had maybe 2 levels of management. I don't think monitoring employees ever crossed the minds of "management".

Then we merged with another larger company. Things really changed over night. Though the company now wasn't *that* much bigger (250 employees), we became so bogged down with bullshit corporate red tape it wasn't even funny. I think the Titanic had a smaller turning radius than this little company.

Well, the new "HQ" totally flipped when they found out we weren't firewalled. So we whipped up a linux box and in a day had our internet connection locked down. It turns out they really didn't give a shit about security -- they just wanted everyone to go through thier firewall, which they dutifully logged all access.

(An aside: These morons, who tried to push thier "Security" on us really had things wide open. For grins, I hopped onto my personal ISP account one night from home. I was able to use their proxy server to proxy behind their firewall. Of course I informed them, and it was quickly fixed -- but I never got so much as a thank you. :) I don't know how many port scans I did on their firewall from the outside, but they never once noticed. But they bought a firewall appliance -- a BSDI box with a gui administration front-end -- so it must be secure.)

Anyway, morale took a major hit. People were always cursing under thier breath about "big brother" and such. I was as much as victim as my users were, so I tried to do the best I could.

My view, as an admin, was that while the Company had the right to monitor thier resources, users had no obligation to make it any easier. I set up a junkbuster proxy at our site, which proxied off of the "official" corporate firewall. All connections were logged at HQ's box (I turned off junkbuster logging), but they could only narrow it down to our site. If an abuse was brought to my attention, only then would I consider other measures.

Furthermore, our Intellectual Property Agreement wasted a lot of paper on trying to protect company data/info/etc. So I felt a moral obligation to protect my email from anyone hacking the mail servers. Naturally I used PGP -- I even had a registered copy for my office workstaion. I encouraged others to use PGP as well, but as most here might expect, it was too much trouble. I was never called on the encryption, but I would have held out for a court order to unlock my mail.

It's a shame, too, as there were several cases where the corporate goons did a sweep of everyone's mailbox. I was browsing the event logs on our local Exchange server, when I noticed that one of the corporate admins had systematically opened up every one of our mailboxes. I enquired and pressed for a justification.

Here's what I got: Being a software comany, they held several user conferences a year. At the most recent conference, it was alleged that a competitor got a hold of a list of customers who were attending and chartered a riverboat dinner cruise that same time/location as our conference and invited everyone who was registered to come to our event. Naturally, management suspected one of their own and went on a witch hunt. I thought the whole thing amusing, and somewhat clever on the part of our competitor. I would expect nothing less from players of a sales-driven industry like ours. I don't know if any of our customers even took the offer, but it sure pissed off our top brass. So they went through everyone's mail in a vain attempt to catch someone.

I objected to this. Though our competitor's sneaky trick may have hurt our ego, I personally don't consider a list of conference attendees to be proprietary/sensitive data, certianly nothing to warrant an invasion of privacy. I thought the manager who authorized the scan was way out of line. I stated that even though the company had every legal right to do this, I felt as custodians of computer resources, we had an ethical obligation to use our power only when really really reall warranted. I also felt we should publicly expand on just what we were capable of monitoring -- as a deterrent. I was immediately shot down by an over-zealous officer of the company. Paraphrased, "When the police tap the phone line of a criminal they don't tell him when and how they do it." His logic was faulty in that he assumed everyone was guilty from the beginning, but I didn't press the issue further. I just made it a point to answer honestly and completely whenever one of my users asked about what was monitored and how the technology worked. I even offered advice on how to circumvent the monitoring, if possible.

My holy grail during this time was to find a proxy on the net that was like Anonymizer but 1) used SSL (admins can't watch traffic) and 2) somehow hid the destination URL (unlike anonymizer). I never found such a service, and I have since been fired from that company (for a completely different issue). I now work at a large public university, where at least invasions of privacy are protected by law. Better yet, I admin unix rather than NT. :)

Liability?

[nuggz]

Companies are liable for employee email
Halloween documents, harrassment, everything

If you want privacy do it at HOME, or use appropriate encryption

but really just be glad they let you use them personally at all

Re:What you should be looking for...

[Number6.2]

Dammit, then, there should be more porn on /. You should be mailed a twinkie every time you surf to the website, too, just so it could be fattening, and immoral. It's not illegal yet. Maybe we should start to encrypt and make "them" think that it is. After all, only criminals encrypt...
I am not a number, I am a free radical
number 6.2

What me worry ?

[BasharTeg]

Don't worry about it. Simply scan it once or twice, send private warning letters to the users who have questionable material. Make the letters sound official and defend company policy so if one of the letters gets back to the hunters, you can simply say you thought they should have a warning first. Most likely all the porno fewls will ease up. You can say you scanned em every month or whatever, but really just let it ride. Management only needs to know what you decide they should know. Often in my job (SysAdmin) the CEO refuses to spend very small amounts of money (like $200 at a business that makes millions) for upgrades and/or hardware that we *really* NEED. I figured out that sometimes you have to make up a different reason that sounds even more important. Our network was getting bogged down because of high bandwidth applications we use. We were running 100BaseTx on a hub. I decided that we needed a switch to isolate the bandwidth between the two coworkers using the video application. The CEO said "No, we don't really need that. Everything works fine the way it is." Actually we were having all kinds of problems when the Database Client timed out from the server because two or four people were running video and lagging the hub to death. So in the end, I had to screw somethings up on purpose (like change the server's IP), and claim that the hub burned up from too much load. Then I told him rather than getting a new hub for us to burn up, we could get a switch and fix two problems at once. I know many other sysadmins who have to do the same thing in order for things to run smoothly at their job. What you have to learn, no matter what the subject (hardware,software,privacy,etc) is to simply tell the management what they need to know, what they want to hear, or what YOU want them to hear. If the management wants to hear that there's no pornography in the email, then by god, there's no pornography in the email. You are the admin. Use your power for good not evil ! (Except a little bit of nessicary evil)

Re: IBM montoring? Hah!

[joenobody]

At IBM, they monitor everything you get, every site you visit and if you go porn surfing then they fire you.

Yeah, right- there was a guy who used my desk at night. I'd come in and glance at the history file in the morning and find porn all over it. He's been told four times to not do it- he still does and he's only getting let go now that the project's over with.

Acceptable Use Policy

[Slime]

Does your company have an acceptable use policy? and if so, have all the employees signed stating that they understand this policy? If so, then the question is quite simple, as has been stated numerous times in the threads, all resources are company related, and you work for the company, as an administrator if you find "non company programs" running on client computers, i doubt that you would have a problem removing them, why the fuss about email?

Most people are at work 8-10 hours a day supposedly to work, they have 14-16 hours outside of work to surf all the porn they want to.

I personally do not want to have to do the metrics required to keep my QOS levels where they need to just because users want to surf out of bound sites.

p.s. a search of google.com for "sample acceptable use policies" will return thousands of hits that might be of assistance.

Good Luck

/rant off

They go naked at this port

[Sirron]

When the Spaniards cruised up the pacific coast of the USA (to log all the traffic using the various ports) around the early 1600's they pulled into a natural port (now called the Monterey Bay) and found a populous nation (The Esselen Nation) of organized and peaceful people at that port.

"The land [is] well populated with Indians without number...
They seem to be gentle and peaceful people..."
- Sebastian Vizcaino Dec., 1602

They also found those peaceful and numerous people stark naked! (egadds... porn over an open port)

"...They go naked at this port."
- Fray Antonio de la Ascencion Dec, 1602

And the battle over nudity over the open ports in the infrastructure begins in California.

1770 Mission San Carlos Borromeo was founded.
1846 US forces claimed possession of California.
1851 the first of many (always broken) treaties were signed with the Esselen Nation
1800s-1900s Massive eradication of the nude elements (and their sympathizers)
1999 there are only about 350 enrolled members of the Esselen Nation. (down substantially from "without number")

The battle is won. The (remaining) naked "heathens" are fully clothed, and all ports are preserved for decent law abiding non-naked traffic.

But wait. There is a new port. An electronic port in an electronic infrastructure. And we have discovered a nation using this port. And guess what....."They go naked at this port".

Your task, Sr. Cliff, (should you choose to accept) is to clean up this new port and make it safe for decent law abiding (fully clothed) citizens to tread. You must eliminate the naked nation which is using this corporate port.

Re:privacy advocacy

[Aninymous+Coward]

Grammar?

Darn. The pedants are revolting.


Al

Re:Are we moral sensors now?

[Aninymous+Coward]

Because nobody except rabid PCers would understand you. A great suggestion for if and when the majority - or even a significant minority - both understand and prefer the use of an agreed neutral pronoun.

In science fiction, sexless individuals are often described as 'it'. But people don't like that applied to themselves; it has insulting overtones.

However it IS generally acceptable to use the gender-neutral plural: they, their etc.


Al
------------------------------------------------ ------------------
Your reality, sir, is lies and balderdash and I'm delighted to
say that I have no grasp of it whatsoever
-----------------------------------------------B aron Munchausen---

Re:You don't have the privacy right (nor should yo

[Aninymous+Coward]

Veni Vidi Vici = I came. I saw. I conquered. Julius Caesar about, I think, England.

Vidi Vici Veni you can therefore work out for yourself.

Veni Vidi Visa = I came. I saw. I did a little shopping.


Al
------------------------------------------------ ------------------
"i saw a sign that had the distances to various cities, and it
said Los Angeles - 404 and i thought - what the fuck happened
to los angeles?!"
------------------------------------------------ -------greyrose---

What's next?

[Mr.+Haplo]

I can't say that I totally disagree with a company's right to scan their own networks (including email) for "illegal" and potentially damaging material. After all, it's THEIR network, and THEIR hardware/software you're using.

But, where is it to stop? How long before ISP's start scanning any and all packets that go through their network, looking for pr0n and other "objectionable" materials, and either getting the user arrested, or kicked from the service? Who's to say that someone with a cable modem might not be packet sniffing their entire neighborhood, find some pr0n, be offended, and complain to the ISP, and threaten to sue? You'd think that someone doing that would likely be kicked just for packet sniffing. But, with today's corporate fear of lawsuits, it's entirely possible that the packet sniffing luser might just get their way, and win a huge lawsuit in the process. It only stands to reason, then, that the ISP would want to prevent this from occuring, thus scanning all incoming/outgoing packets for pr0n, and either booting or prosecuting the "violator".

Just my $0.02.

Get the 'witch hunters' fired...

[Moray_Reef]

Well you could put a couple hundered MB of porn in the offending HR persons network directory or e-mail folder and get them fired... No more witch hunters, no more problems...

IF then only outgoing

[jajuka]

Its a touchy issue, but one cant always control what others send them, so unless they've subscribed their work account to a porn list or somthing, the only thing that should count against them is if they're /sending/ such material from their company account.
Needless to say not doing it at all is the ideal choice.

Compromise of trust

[foobarbazquux]

I was chatting this over with my systems administrator, and she tells me that you absolutely must not snoop into somebody else's files because the trust between a sysadmin and the users would be irrevocably broken.

She never su's into anyone else's account unless they are in the room with her and have given their tacit approval, or she's phoned them for explicit permission, or it's a screaming emergency and she must in case another World War breaks out.

Sounds like a good policy to me.

hahahah

[H3lios]

this post was so funny

Re:Are we moral sensors now?

[ufdraco]

Or, as would be my personal preference, we could introduce into language another gender-neutral set of pronouns. Then make the gender-specific pronouns only "proper" if it is truly necessary to denote gender--say if we are actually talking about sex or issues that only apply to one or another gender but isn't clear from context.

Somehow, I don't think that if we run into a n-sex alien species that we are going to blindly use "he." I would hope we would find a good, decent, generalized term by then.

do it!

[itascon]

Well if it is after 1985 and when they were hired they were notified that their email could be read by anyone at anytime, then there isn't really (a) anything you can do about it and (b) any reason to have consideration for an employee receiving email with porn in it who's not cleaning up after itself.

Don't worry - anyone smart enough has it all archived and off your mail server anyway, and the rest deserve what they get :)

Re:The company does have the right to snoop, but..

[Hobbes_]

I agree and can relate.

My previous job (some years back), I had the misfortune of being told to scan all the office machines for games/screen savers (only blank screen saver allowed) and remove them (this was before email).

What's worse was I had to do monthly. It finally stopped as everyone knew when I was coming around, deleted all the stuff and put it back on when I left (save disks supplied by me:). Also I ( a few months into it and intentional) would take the machine down for quite some time while I checked it, which in turn had the departments complaining it was being disruptive and finally got it stopped .

Get the porn, leave the mail...

[Lion-O]

Hi,

Our company had the same amount of problems. Worse yet; sometimes, very rarely, the amount of non-business data tended to take too much bandwith for our regular datastreams. Since you got 2 problems in this matter (privacy of a persons mail & company propperty / violating of company rules) I decided to take 2 actions which lead to a drastic decrease of these activities. Offcourse all of this was implemented after I warned the users what was about to happen.

First we stripped incoming messages of any attachment while sending the contents of the message to its receipent. The obvious graphic files (bmp,gif,jpg) were moved to a different directory while the system made copies of all other files. Since most of the users on my network attached stuff this filtered out quite a lot of illegal activities without violating privacy issues.

Besides this we scanned the size of the email message itself. Normally no email msgs were intercepted due to privacy but when a message reached a certain size (approx. 50kB and above) we (my superior and myself) would intercept and check it.

I found this to be the best solution. Personally I don't think there is an "out of the box" solution for these sort of problems. The best way I can think of is to analyze the situation and take appropiate actions.

Porn Scan

[Uncle+Humph1]

I am a Net Admin and I have to do it as well. How I handle it is I go look for it and if I find it, I play "Dutch Uncle" and give the individual a heads up. A few minutes later it's gone. No problem. That way, the two of us are the only ones who know, and no one gets fired or black balled.

Re:Corporate vs Individual Rights

[christoff]

If this is true, aren't most ISP's businesses that reside on private property. Your mail passes through at least one isp that belongs to a private business every time you send mail. So someone always has a right to go through your mail right? Wrong.

I sorta agree with Cliff

[Sp@mMan]

Your at work, to work. And I know I know that you need your privacy, but get down to it, companies want the mighty buck. And they want to get what there paying for, your on company computers to do company work, if you DIDNT have computers, you think companies would like you walking down the local gas station and buying girly magazines? I dont think so. But whatever.

Re:System resource waste on porn

[FireWhenRady]

As a sysadmin, my general problem with downloading porn is the volume and time. When I find 2% of my Internet bandwidth going to a porn site, I don't really care about the content but the waste of bandwidth going into someone wasting company time and money. I think too many people see Internet access at work as a free ISP rather than a tool like the telephone.

I don't think anyone would see anything wrong for a company disciplining somebody who had a huge long distance bill to 1-900 porn sites. Why should they not halt time, space and bandwidth waste of their Internet access?

I monitor Internet use looking for bottlenecks and bandwith problems. I would rather save bandwidth by stopping access to porn sites than access to system upgrades.

Re:You don't have the privacy right (nor should yo

[SPorter]

At my office we have no privacy:

• we have to give our supervisor our root passwd
• we can't lock our screens when we're away from our machine
• we are not allowed to encrypt any files on our system
• we have to agree that anything on our computers is owned by the company and they can access it
• no personal business on our computers

No problem... I simply ssh to another box where I do all my email. I don't give my work email address to people unless it will only be work related. Of course, with email, you can never assume it will always be secret.

Authority and Politics

[argel]

As others have said, almost every company has clauses that give them the right to monitor all network traffic, including your e-mail. As has also been said, abusing this will create a hostile work environment.

What I have not seen addressed is which department has the authority to order this. If the HR department has the authority to order this, then the HR department has authority over the network, something they are not qualified to manage.

Furthermore, the likelyhood of being dragged into corporate politics increases greatly, something most engineers want to avoid and something any good compony wants to help them out on. I mean, if you owned a company, would you want your SA's playing politics? After all, they have access to sensitive information and are usually the only ones authorized to use network monitoring software and hardware!

And there is of course the issue of the SA's time. Most places are understaffed when it comes to SAs, so the likelihood that they are working on something else that is more important is pretty high. And what about spending money to buy monitoring software (hey, if HR was shoving something down my throat I'd be much happier buying somthing to do it than to have to write something to do it)?

Unless necessary (e.g. financial institutions like Edward Jones and A.G. Edwards) monitoring e-mail should be done against individuals when suspicious activitiy is detected or complaints filed.

As others have pointed out, any hours I work over 40 are on MY time. If the company expects me to work more than 40 hours then they have to give me a certain degree of privacy, because I will have to do some personal things from work.

The bottom line is that the HR department should have to submit a request for the network monitoring and then justify it. If they think they can demand this without a reason then you should either start looking for another job or have a talk with the company lawyers.

-- Argel

P.S. I would give a company wide warning before performing the type of monitoring you have been asked to do. Make sure you point the finger at the HR department, or you will take the "bad vibes" bullet when they are the ones who deserve it.

rage against the machine!

[BSD_Beck]

If I were you, I would agree to do it. Then send a message to every single user explaining exactly what you have been asked to do, and warning everyone. Tell them you may be fired for this, but it would be wise for them to watch what they attach to their emails as thier superiors have the desire to get snoopy.

Oh yeah ... The machine that is America is oiled with the blood of the working class.


Bwuckatah bwuckatah bahhh, bwuckatah bwuckatah bahhh!

Warn then Scan? email server doesn't delete

[Speare]

Not directly experienced with this, but aren't most corporate email servers set up such that the clients do no local storage, and that clients' delete requests just "hide" the info? Otherwise, there's too much risk of other evidence-destruction liability, common with insider trading or espionage litigation for hi-tech companies.

SysAdmin

[Hassmachine]

I'd say scan it... but I'd give them fair warning. That or else send a message to the people telling them you are going to scan it, and send company policy to them, I am big into the whole "privacy" things as well.. but I also firmly believe that if they are getting their work done, and keeping the information the do INSIDE the company, who cares what they look at, everyone basically is a freak of some sort, whether you look at flowers all day or stare at some woman bending over... most likely in today's day and age, SOMEONE will find it offensive...

sneaky compromise

[Borealis]

Well, I'd have to agree with some people that chances are that if you don't do it, they'll get somebody that will.

Reach a compromise that all users are notified of the change and be sure they all know that any images included in their email will likely be looked at. Also, at approximately the same time you can publish a memo on the importance of making sure your email is secure and that any sensitive data should be encrypted. Point them at the recently revealed Canadian "email encryption made simple" that was on slashdot a few weeks ago http://www.ipc.on.ca/Web_site.ups/MATTERS/SUM_PAP/ PAPERS/encrypt.htm

The really smart ones will start encrypting, the moderately smart ones will stop getting it sent to work and the dumb ones will get caught and fired. Natural selection at work.

I have an idea

[puppet10]

I understand there are legal issues involved, but since the HR department seems to be the instigator in this, maybe this is the first department that should be checked, then at least you'll find out how serious they want this scan to be...

Don't do it - I wouldn't.

[treat]

If I were asked to do this, I'd have to do some thinking. Not whether or not I would do it, I know I wouldn't, I would just have to consider the manner in which I refused. I would probably explain (nicely) to my superiors that I feel I'm being asked to commit a grievous violation of people's privacy, without any good reason. This is not investigating one problem user to see what's going on, it's searching to see who is doing immoral things. It's not about bandwidth or disk space or other resources - if it were, we'd look at who's using the most and why. Or, we'd search for other types of non business related data, like games. It's certainly not about who's wasting time instead of doing work - people who do that have a lot of choices, and it's not like taking one away would have any impact.

I imagine that I consider assisting in a witch-hunt of this sort a vastly more serious violation of my morals than the people calling for the witch-hunt consider the porn a violation of theirs. I could not be forced to do this, I would quit if necessary. I would make sure what's going on is made public knowledge. The job market is good. At least at my current employer, while being caught looking at porn is a serious offense, the proxy logs are only looked at for a specific user when there's a specific reason. And nobody's email is *ever* being read to see what they're up to. And it will not be as long as I'm employed here.

I realize that the company owns the machines, and it's theirs to do with as they please. But unless there's a strong reason to investigate a specific person (probable cause, perhaps), the company should respect their employees' privacy. Compare it to parents searching their children's rooms, reading their email/snail mail/diary, or listening to their phone calls. It's just wrong.

Re:If it were me...

[treat]

and if you go against them and don't do the scans, they prolly will terminate you.

That depends on your value to the company. If it would cost more to lose you than to have some porn floating about unnoticed. Nowhere I have worked would I have been fired for refusing to do this. They go through enough work to keep me from quitting on my own, they're not going to just fire me over something silly like this.

If they did (or if they forced me to quit), good. I will make sure that my coworkers know exactly why I'm leaving. Their anger over the situation will more than be sufficient revenge.

Re:If it were me...

[D'Arque+Bishop]

This is a very good point... I was actually going to say this. :) The thing to keep in mind is this, though: if the place you work for is anything like mine, you have to sign an agreement stating that you understand the rules of the company, and that you agree to abide by them. This means these people should know full well that everything put on their machines is the company's property. Therefore, they should accept responsibility for what happens.

As for the aforementioned suggestions... I doubt the sysadmin has any choice. He just has to provide the logs/information, and then management and/or human resources determines what to do with it. If someone gets terminated, it's due to the management's decision, not the sysadmins... and if you go against them and don't do the scans, they prolly will terminate you. If you have a problem with this, leave the company.

Just my $.02...

Re:Corporate vs Individual Rights

[D'Arque+Bishop]

No, they don't have the right...no more than your landlord has a right to randomly enter your apartment and check your wife's underwear drawer for drugs...its like a rent agreement.

Not exactly. A lot of companies are like mine: they make you sign a form stating that you understand the rules of the company and agree to abide by them. At where I work, it specifically states that the company owns the PC's and everything on them, which isn't the case in something like an apartment rent agreement. Therefore, they do have the right to be searching them...

Personally, I think the mail should be monitored (not actually read), with reading only taking place when you have evidence of suspicious activity... but then, that's just my $.02.

a practical approach

[ChaosMt]

As far as I know, technically, in the eyes of the court, they are right. In the eyes of what is practical and ethical, I'm not so sure. I don't think explaining to them why doing this would be "wrong" would help any, nor trying to explain the importance of privacy. However you could explain why doing this is opening a BIG can of worms.

First, you should find out what's really getting their attenion. Are the users taking up to much storage? Are the users running porn sites and making money on company resources? Are the users just simply wasting time, instead of working? Was there evidence or rumors of a pervert going around? With all of these examples, there are resonable ways to draft policies that keep people on a leash, but don't violate privacy. Such as make it a company policy that users only get so much storage. You don't have to enforce it, but when the time comes, you have a policy to back you up.

Second, you should explain the ramifications of doing this. Tell them you will seriously consider leaving. In some parts of the world, they can't get any computer help and suddenly, this action won't be an option.

Third, You should also explain the significant effect this will have on morale. People will be pissed, people that will very quickly find work arounds to go outside the system.

The fouth reason not to do this is to keep lawyers unemployed. If they do this, it may be very likely people will leave the company. Those people may also try and sue the company. They may not win, but they may cost the company $500,000 - and that can hurt.

The fifth reason is that, if they open this can of worms (especially w/o notice), they then become liable for all of the content on the network. In other words, if you were to censor this time, you can leagally be expected to censor all of the data on the network. For example, lets say their upset b/c Joe Bob is archiving alt.sick-sex.pictures. They make you break in and catching him, and they fire him for wasting company resources. Later on, after Joe Bob has been forgoten, Jim Bob is archiving alt.sicker-sex.pictures. FBI finds out what Jim Bob is doing, busts him and takes the companies equipment for five years (nothing you can do about that). However, someone's son/daughter was caused irreprable harm from Jim Bob's actions and files a civil suit against him. The lawyers will also name the the company in the suit, (b/c Jim Bob can't pay a lawyers salary off of what he makes in federal prison) saying the company had a history of stoping porn, but did not act in this case. This may seem far fetched, but things similar to this have happened. The parents may not win either, but they will cost the company millions.

Given the greedy nature of companies, I think a good delivery of the final reason will work. However, don't forget, you can refuse, quit, and go work somewhere else making twice as much b/c you'll be able to sleep at night and do more during the day.

There's more than just privacy in this

[rich+w]

I tell everyone at the office to treat their e-mail account the same as they would the company's letterhead stationery.

If you look at some of the recent cases/settlements on wall street, there may be other issues in play, such as sexual harassment. The problem may not just be the use of company time by someone getting their jollies. The distribution of the e-mail with the porn attached and the content of the mail message may be a big problem.

Ownership of Email

[darkstar101]

I don't buy the assertation that the company owns the email that an employee recieves. The company is not providing any compensation to the SENDER in exchange for the email messages being sent. Wouldn't copyright law make all email messages copyrighted by the sender? If the sender did not work for the company, how can the company claim their property without compensation?

How about if the SENDER doesn't even own what was sent. Say someone sends me a web page off USA Today? Does the company own that? Certainly, USA Today would have a copyright on that material.

If it is true that the company owns any email an employee recieves, that would mean I could create a small company with that policy, get someone to email me the linux kernal, and then start charging Red Hat for every CD they sold. That does not make a lot of sense.

The company may own the computers, but that does NOT mean that they own the INFORMATION on them.

A quick at software liscensing should convince anyone that just because something is on a company computer doesn't mean the company ownes it. Most software is not owned by the company at all. The company owns a LISCENSE to use it on one computer.

Re:write a script...

[darkstar101]

99.9% of email users have no idea how email works. They only know that they type here and it gets there. They have to put in a password to get in so they expect that no one else can get at it. They are certainly not aware that it is even possible to scan every message in route.

Besides this, the SENDER was not notified in advance of this particular company's policies, and the employee gets penalized for actions outside of their control. Here's another example, I get your email address off of your business card. I send you some jokes about pro-lifers. The email filter at your company gets triggered, and a notice that you are pro-abortion goes to someone in HR. The HR person is pro-life and sets off on a crusade to ruin your life. I realize that this probably is not very likely for you in particular, but what I am trying to illustrate is that you could be targeted for something that you do not necessarily agree with.

Comparing this to a cell phone would be like saying that my cell phone company would listen to every phone call I make, record it and send it to the NSA if I said the word kill or president. This is not a situation I would support.

I have an expectation of privacy when I encrypt something, or when I use a land phone line.

All encryption can be broken and land lines can be tapped easily. Even faces to face conversations can be easily be monitored. Does that make anyone who expects privacy for their encrypted messages, landline conversations, and face to face conversations an idiot? We can be monitored in almost an facet of our lives. From work to in our homes. The military has devices that can tell exactly were we are in our homes through 6 inch thick concrete. Camera's and microphones can easily be placed nearly anywhere. Does that make anyone with any expectation of privacy an idiot???

Some useful info

[admindood]

Usenix-SAGE has some stuff to say about ethical issues. Check out http://www.usenix.org/s age/publications/code_of_ethics.html

Also, get it in writing. Many organizations will back down if you make them spell it out. It will also help you if it lands in court. Good luck...

The perfect solution...

[WhiteRabt]

I know this will sound a little rash, but it would probably stop the flow of porn through the company email setup.

First, Warn everybody with an email that porn scans will be administered, and let them know the consequences will be harsh. Tell them that it is automated so no privacy advocates will get their panties in an uproar.

Second, you set up a script that will automaticly scan all incoming and outgoing emails. Have it note every image that passes through. Also, have it forward the image and the employee's email address to you.

Third, and finaly, whenever you recieve a porn image from this script, email every box with a porn gestapo (sp?) newsletter, telling everybody who is looking at porn, describing the porn that they are looking at, and re-enforcing the company policy against porn... After one or two incidents, you should have the problem virtually, if not completely eliminated.

That is how i'd do it, anyway.

Re: Hentai, Japanese child porn

[Dean+Siren]

In Japan they have cartoon child porn, how do they deal with that?

Re: Hentai, Japanese child porn

[Dean+Siren]

> So if a movie (with live actors) shows a woman being raped or a child (real child actor) being graphically killed, this is allowed because it is not harmful to children. But drawing pedophillic scenes involving people who never even existed is
somehow ok. I'm confused. Why is a ficticious portrayal of one crime againse a child acceptable to the public but not another, esp when the latter doesn't even involve children in any way?

Maybe because the way many Japanese artists render their characters, it's hard to tell wether they're children or adults? (See http://www.win.or.jp/~juan/index_E.html for an example.)

Or maybe because cartoons are just "uncool".

Inbound vs Outbound

[PhillC]

Can the company really do anything in regards to the content of inbound email ? Is the user liable for the contents of inbound email or only the stuff they send out ?

If I can't have privacy once in a while...

[Palainen]

Well, any company is of course free to search anything they want on their network -- if nothing else, just to optimize performance.

However, any company that tried to completely ban private thinking (or communication) in the workplace would see me quitting on the spot. I do a lot of company thinking on "my own" time, and quite some private thinking on "corporate" time, and the employers that don't understand that the line between "corporate time" and "private time" has become heavily blurred over the last 10 years simply don't deserve me working for them.

I wouldn't have trouble with sysadmins scanning my mail, but if he/she can't cope with what he/she reads, it's his/her problem. And any type of content or communication being banned would just make me quit on the spot. I'm their asset, not the other way around.

I'd recommend taking some time to do some serious explaining to HR and then blankly refusing (I'd do it even at the cost of my job, I can get a new one in no time, they can't get a new employee without heavy investments).

Use PGP!

[JoLo]

If I were you I'd tell your boss about security violations and the possibility of industry sabotage using secret information transmitted by email.
Then, when they're scared and about as paranoid as we are, you can tell them that there is a solution: PGP!


10-4, JoLo.

Human Rights

[dysfunctional]

I'm pretty sure i recently heard an EEC ruling that Employees email is private, under the European Bill of Human Rights... of course, the US has different ideas on whether privacy issues..

Iain

Corp Rights V Personal Rights

[azbailey]

I work security and do this on a regular basis, with the belief that

Re:Corp Rights V Personal Rights

[azbailey]

1. when individual actions put the company at risk, through lawsuits ie: sexual haressment, stalking, workplace haressment.. then the company must protect it's self through policies and make a good faith effort to curb and/or stop the activity.
2. The user population will open email even if they don't know who it is from and subject the network to macro viri etc...
3. Users are using the Company's computers, network bandwith, and time to review, send/recieve these things and is a additional expense to the company.
We stop most abuse on a repeat offender status, a. warning b. HR warning in users sleave c. termination.

System Admin woes

[pbegley]

I am a consultant and engineer by degree. My primary consulting focus is e-mail systems and Internet connections for large corporations. I was a node on the Internet in 1986 and have worked primarily for engineering and manufacturing companies.

No client has ever directed me to start a witch hunt. Never. I have worked with HR and MIS groups to develop and publish a clear, written policy for e-mail and Internet use.

If you have had to manage the volume of e-mail and HTTP traffic at some large corporations you would appreciate the problem. 1000+ users can generate something like 40K-50K of messages per day. Combined with HTTP traffic you can have gigabytes of data passing through your firewall and e-mail server(s).

Unless you limit the size of incoming and outgoing messages, they often exceed 5-6 Meg. My clients spend big bucks on storage and network hardware and software (and consulting) to keep these systems running 7x24. Putting e-mail and HTTP policies in place is self-defence more than anything else (legal and technical).

As an e-mail Postmaster, I treat e-mail the same way one would treat First Class US Mail. However, when e-mail bounces, I read enough to determine where it should go and attempt to forward (or automate the process). I have encountered 5+ Meg porn video files on more than one occasion. How do you handle this? I don't 'rat out' users, but press the company to establish a policy if none exists, or re-state the policy for users so its very clear what the consequences are.

This month a Major Financial Institution (bank) on the east coast fired staff for forwarding pictures and 'dirty jokes'. They had a written policy, they informed the staff (repeatedly), yet through sheer volume of mail and network traffic it became a problem then needed to address. Several people were fired. One of the people fired admitted he screwed up, acknowledged that they were aware of the policy, chose to ignore it and recognized the consequences.

Does it take firing people for a company to establish that they are serious about a published (and promoted) e-mail and HTTP policy?

I really don't know, but when training and consulting try to balance personal rights with technical responsibility.

It's searching E-MAIL!!!

[NYFreddie]

Here's the thing I see with this - they want you to scan e-mail for pornography, which I am assuming refers to images.

Now, my question for everybody is: How much pornographic stuff is trafficked via e-mail? Most of it is web related. (You're free image mailed to you weekly is just a link to a web page).

Now, I can see the occasional pornographic joke images, but I really think these are in the minority, and most people I know don't keep them in their mailbox - they delete them after looking, laughing and forwarding - or they save them to their workstation so the mailbox doesn't get full.

My advise is to get it documented, then run it. There won't be many hits, if at all. I can see them not wanting to advertise the fact that checks are going to be made, hoping to catch as many people as they can, but pass word along to your buddies, who in turn will pass it along.

My 2 cents worth.

-NYFreddie

Scanning email is required in some businesses

[KStieers]

Some businesses are required, by law, to have email reviewed. Specifically, stock brokerages can not accept buy or sell orders over email, can't publish certain types of recommendations electronically, etc. To insure this doesn't happen mail to and from brokers has to be monitored by the Compliance dept of the brokerage. Also all of that mail must be archived for three years. We have the SEC to thank for that. We are implementing a system to do this now, and yes HR is pushing to be able to scan mail for violations of the policy. We (IS) are not involved in anything more than insuring the technology of the system works. You should limit yourself to that as well. Ken

warn everybody first

[plinivs]

I work at a certain company, and it has come to my attention that our supervisor, who is also a hacker who thinks BO is a great invention, likes to go thru the Location history of the browsers on our machines, to see if we've been to porn sites and to learn more about us. I sure am glad that somebody told me that he does this, because suffice it to say I get bored, really really bored, sometimes myself. That's just the nature of my job, there are idle moments and I'm paid to weather them.

Also I suspect though I haven't verified that the supervisor has been getting into our Supernews.com accounts to find out which newsgroups we read. He and his sidekick like to drop hints about that kind of stuff. They relate phoney personal experiences to see if I/we have comments, etc. and later have no recollection of those experiences, etc. Time to get a new job, eh?

So these guys are serious creeps, and of course they're high school flunkies with no University degrees, and they're loved by the company for their Nazi-like submission to authority (it's corporate), but what can I say? You can only complain so much. In the end, this is the Information age, and with it come certain risks. You've got to avoid them. Practice safe computing. It's a job, not your life. If you want a real job, start your own company.

Look at it this way: If you're in a restaurant and some jerk is sitting next to you, you either leave or you move -- but you avoid him. If you're at a company and some higher up jerk is investigating you, you either leave or you avoid him (or her). Don't let your guard down ever, because that kind of person will try relentlessly to get you to do just that.

To address the idea which is the title of this response, if there are people who are ignorant that there are wolves in the henhouse, then consider it your duty as a person of good will to warn them that they are at risk. And if you're not a person of good will, then you're one of Them.

We just went through this, fired 7 employees

[timboguru]

I work as a senior sysadmin at First Union. I mention the company because we made the news recently for firing 7 employees for passing around porno via Lotus Notes. We had to take a backup tape and set it to never expire, and it's now currently locked in a vault in our legal department. We did not find it, it was found by one of the Notes admins, who ran a usage test, and found users whose disk usage was way outta scale.

Personally, I think you gotta be pretty stupid to do that at work. Get a cheap ISP connection, and pass around anything, but not at work. It's not worth losing your job over it.

timbo

A threatening atmosphere costs $ in productivity.

>If privacy is explicitly NOT given...then it is certainly within their realm to scan it.

Maybe so, but if a company creates a work envorinment where they feel watched all the time and that the slighest wrong movee will bring an axe down on them, their efficiency and productivity will suffer. Quality of work will drop. Losses to the company from reduced productivity may hurt the company more than if they just turn a blind eye to employees web surfing. So long as employees are doing their jobs, let 'em be happy. Happy workers are productive workers. As long as they're not hurting each other (sexual harassment) or hurting the company excessively (downloading 50GB of porn per day), just ignore minor transgressions. They're harmless. No one wants to work for Big Brother and forever live in fear of the wrath of Management.

Company Resources, so...

[Masem]

As mentioned before, someone noted that phone lines cannot be monitored as they are considered a common carrier. I would also suspect that this extends to the internet bandwidth that connects your computer to the net.

That said, the company most likely owns the mail server and the computer that you type mail from, as well as the email address you have at work. While the medium on which this goes out is public and cannot be scanned, there is nothing wrong with the company caring about how their server and email addresses are being used. (and as pointed out, this strictly has to be on outgoing mail; Any malicious person can easily send a porn ad to your work email without your consent. Additionally, Melissa-like email viruses must be taken into consideration as well, as too many companies are Outlook Express and Office people).

So if you are working for MegaCorp.com, they have every right to scan the mail on mail.megacorp.com for problematic ones. Not only is that their company policy, but if underpaid_worker@megacorp.com starts spamming bgates@microsoft.com with porn, MegaCorp's reputation can also be tarnished.

The problem is how they approach this. Porn in the workplace is a bad thing to begin with (Shades of Clarence Thomas here), and email is no exception; not only is in inappropriate, but it can lead to sexual harassment suits (In the past, I've seen a coworker talk rather vulgar and get bad glares from other workers, and that person was then talked to behind closed doors). Additionally, that email address is provided by your place of work for work-related purposes; unless you work for a porn place, porn is not work related, much less numbers of mailing lists and such. Many places are lax on that only because all work and no play == low productivity.

However, if the place of work started to demand access to your aol.com account that you paid for, sue the heck out of them.

Anyone that is intelligent enough, IMO, would have a mail account that is for more private things, whether personal communications between friends or porn or whatever, and would only access that from home.

Policy needed

[mattdm]

Companies need to develop a policy on this kind of thing. Although the current law may allow corporations wide latitude, you're opening yourself to all sorts of trouble otherwise. (Moral and morale trouble, if not legal.)

Since that doesn't seem like it's the case where you are, SAGE's Code of Ethics for sysadmins might be personally helpful, at least.

--

Are we moral sensors now?

[PG13]

This seems a common thread in censorship debates. *Everyone* even the censors agrees that censorship is wrong but, the objection goes, we should censor with the truly eggregious(sp?) offender. Right now that eggregious offender (for those with a more lazie fare approach) is child porn.

But by saying it is okay to censor something, even as bad as child porn, we have allowed an infrastructure to be built which lets us watch people and prosecute them for their communications. Just as in the classic slippery slope argument once anyone who looks at child porn goes in jail who will object when they push the line up to 'anal sex with an under 21 year old.' Each step is allowed because who wants to be identified with the small percent who watches 18 year olds get ass fucked?

Secondly while child porn is a bad thing such a massive invasion of our rights to communicate should, like any law, only be enacted if it prevents the violations of others rights? Does the child porn law really do this or only make us feel good about a subject we would rather not think about?

Does the fact that it is illegal to distribute child porn mean that more porn is made b/c the distribution is so difficult? Does the fact that he can't download any child porn off the net to jerk off to mean that your neighbor will molest your boy looking for his high?

Maybe if we only banned commercialization of child porn images less children would be molested. If they themselves weren't going to be thrown in jail we might have more informants on who is doing that actual abusing.

It is possible that the child porn laws and restrictions are a good thing despite their danger to our freedoms (worth the risk). However, the knee-jerk reaction to censor the material without even stoping to think about it is one of the worst reactions imaginable.

Re:Are we moral sensors now?

[rdemanow]

I agree with you, PG, that the government goes too far with the way the laws are written. It just so happens that it's easier for them to catch and prosecute someone with a picture of a 13 year old girl getting raped, than it is to catch and prosecute the actual rapist. The laws are written the way they are so that law enforcement can make itself *look* like it's doing it's job. Kinda like those cops who wait out by the freeway all day handing out speeding tickets, rather than going out and finding the people who are commiting more serious crimes like assault, robbery, and murder.

They also go too far in what they define as pornographic. Here, the government caters directly into the hands of the puritanical Christian zealots of the "Religious Right", and their "Moral Superiority (patent pending)". There's something seriously wrong with laws that criminalize the great artistry of people like Jock Sturges, Sally Mann, and Graham Ovenden. The way the laws are currently written, a court could interpret an image of Michelangelo's David as pornographic.

I also agree with all those who have expressed the opinion that employers should have the right to censor (yes, censor!) what appears on their networks and workstations. After all, the network, the hardware, the domain name, the IP addresses, the software, and the mail exchange servers all belong to the company. I think a company has as much right to monitor and control what their employees do on company equipent, and during the time they're being paid to work, as parents have to monitor and control what their children do and see (on TV, the 'net, who they hang out with, etc.).

It seems like common sense to me that when I'm at work, I do work, and when I'm on my own time I do whatever the hell I want.

I'm convinced that the primary reason that companies have these crackdowns on people looking at porn, or whatever, is that they're afraid that the government will hold the business criminally liable for letting their employees do it. That's another symptom of the way the laws are written. After all, a pornographic image mailed to me at my work email address resides on the company server, and is thus company property ... for which the company can be held criminally liable, the way the law currently reads.

As far as moral censorship goes ... IMNERHO, it belongs solely and completely with the individual. If you don't want to see porn, don't look at it. If you don't want your kids to see porn, teach them not to look at it. They probably will anyway, though, and you know what? There's not a thing anybody can do about it! (Just look at what criminalization has done to the drug scene.)

Anyway, I'll get down off my soapbox now and prepare to be flamed.

Just _warn_ everybody first!

[The+Creator]

Just send a warning to everybody fist. I know, send everyone a mail, something like "please clear out anything private of pornographic or political or ... scanning starts next week". That kinda thing. Now you'r in the clear on both your asses.
Simple eh?

LINUX stands for: Linux Inux Nux Ux X

If it were me...

[dav]

I would insist on first sending out a company-wide email which repeats the Computer Use Policy for your company and then blatantly states that the system will undergo periodic scans. Then wait a few days and perform the scan as requested.

The results of this scan should only be seen by a few authorized managers (not even you/me, if possible).

That covers me ethically. The authorized managers, if ethical (and good managers), will make rational and intelligent management decisons on how to act on the results.

My suggestions here: If the offending material is not illegal (not child porn or whatever might be illegal in your municipality) then the offender should be reprimanded privately. If it is illegal, well ...ethics is a tough subject matter ..you're on your own. It is important that all offenders are treated equally though.

Re:privacy advocacy

[edgy]

Granted, about the drug testing point.

However, in my opinion, there is no justification for drug testing if an employee isn't employed doing anything that could endanger someone else's life.

I would excuse drug testing if an employee shows impairment on the job. In that case, firing them is justified. This would include alcohol.

him/her --> them, he/she --> they

[Mr+Z]

Once upon a time, them and they were not specifically plural. Why not make them the gender-neutral pronouns? People do it everyday by accident, why not just make it the rule?

At the very least, everyone will understand what you're saying. Nobody should get offended, except for some grammar bigots out there that have close-minded views on the modern evolution of language.

--Joe
--

Re:Scan HR's mailboxes

[jabber]

Absolutely. And as a security enforcement method, set up an automated script that will notify the 'perp' that they've been spotted. Notify ONLY the perp, and just log the event - until/unless it's gross and repeated misconduct.

However - this is a sure way to get fired, since everyone is equal, except for those in management, who are MORE equal. Rub the people in power the wrong way, and you'll end up with no reference from this job.

Re:Phone calls vs. E-mail

[jabber]

A company may not be able to monitor the content of a phone call (legally), but the frequency, type and duration of phone calls are fair game. Especially if you're on a PBX, making lots of long long-distance calls. Major no-no, and one that it is reasonable to get fired for.

However, we need to keep in mind the psychological side of authoritarian monitoring. Employees, like teenagers and political dissidents, will rebel against oppressive authority. If they feel trusted, and able to lead comfortable lives, they will produce. If they feel stiffled, they will spend a disproportionate amount of time figuring out ways to thwart their restrictions.

In my company, there is a monitoring disclaimer pinned to every billboard (by every entrance) that states that monitoring is thorough and logged in the event of a tresspass. We do not have Echelon in place, since it would take a large department to pore over the data each day. But, my phone call frequency and durations are logged, my web browsing habits are logged, my entry (via keyed access card) is logged. Perhaps a log is kept of the programs I run during the course of my day...

Or maybe it isn't - maybe this is just the panopticon approach to security. Maybe they cfreate the illusion of mopnitoring to curb people's behavior. I don't know if it works, but I know it does not work on me. I'm typing this from work.

If I get fired for reading /., well, that's just a company I don't want to contribute effort to in the first place. I'll take my skills elsewhere.

Professional ethics

[Howard+Roark]

I used to supervise a staff of sysadmins on a government contract for the FBI. While it was my first job with that responsibility (I had to make things up as I went along), I encountered a similar issue when I caught one of my sysadmins reading other people's mail since he had the technical ability to do so.

The way I look at this is that a system administrator has a professional responsibility to to insure the integrity of the systems under his control. This means doing backups, deleting growing log files, installing security patches, and not prying into the private files of others. While it is true that the company owns the computers and the data, you have a professional responsibility to protect the data on the system.

You should politely inform Human Resources that while you have the technical means to perform such monitoring, it would be unethical to do so since you would be risking the integity of the system.

Your monitoring might pry into sensitive company matters, personnel issues, business plans, customer lists, accounting information, and other data you have the responsibility to protect.

I feel that like doctors, lawyers, and clergy, we have the duty to keep things private and to protect data.
--
Howard Roark, Architect

Corporate vs Individual Rights

[Photon+Ghoul]

This is a strange issue. Just saying it's about restricting free speech, cracking down on child pron, outlawing bong-making, or identifying anarchism is limiting the issue. What is at stake here? The ability to have FREE speech. Should we be restricted if we are on someone else's property or using their property to perform the act of "free speech"? Lawmakers seem to think so.... Corporate "suits" seem to think so as well. The general populace (citizens of the U.S.) seem to agree.

Look back a few decades. This is what states, schools, orphanages, mental hospitals, and other institutions thought about their property. For the most part, that has changed. Should corporations be exempt from free speech issues? Should corporations have more rights than the individual?

Scan web caches

[crow]

Forget email. You'll find stupid chain letters and such, but not much porn. If you want to find porn, scan the web browser disk caches. Just write a script that cycles through all the jpeg images larger than 10K. You'll find lots of junk that way, and you can probably determine exactly when it was last viewed. You'll also be able to distinguish between someone who bumped into a porn site by mistyping a URL (e.g., xfree.com instead of xfree.org) and someone who spends a good part of their day hitting porn sites.

Of course, it's easier to configure the firewall to log all connections, and then crossreference with a list of known porn sites.

Of course, if they insist on scanning email, be sure to point out that you should set up filters to check for porn access via gopher.

You don't have the privacy right (nor should you)

[AshleyB]

At IBM, they monitor everything you get, every site you visit and if you go porn surfing then they fire you. They tell this to everyone but still there are people that violate this policy. They are a little bit looser with e-mail restrictions but they are pretty tight too.

IMHO, it's the company's e-mail account, network etc. you are paid to work, but at the very least not to mess around with objectionable material that could potentially hold the company liable for if the wrong person gets some dirty e-mail. Don't think that e-mail privacy is your right at work because it's not. If you want privacy go get a hotmail account...:)

Whoever posted Vidi vici veni is genius...

write a script...

[nion]

to do it. that way you don't have to actually scan each and every piece of email yourself. YOU won't be violating anybody's privacy (your script will, but no human eye sees the non-guilty mail) except for those who are violating company policy.

then have the script mail the postmaster (if that isn't you) a copy of the offending mail, and they can bring it up to management.

perl is cool.

Do you work for HR?

[demigod]

Are you directly assigned to HR?

If not see what you boss thinks of this (assuming
he is not an idiot).

Tell them you bussy and don't have time for witch
hunts. If they keep bothering you (and they are
a bother) stall.

If all else fails find an old line printer and
print out the contents of every mailbox and tell
them you don't have time to go through it all.
So they can.

I wonder if they read MIME :-)

Re:What you should be looking for...

[MindStalker]

Yea, and hopefully once the floor finds this out the intelligent ones will be looking for a new job. Definate way to see to it that your job is "Done". But as you oviously have had experience doing this and kept the people, I'm very sorry you work at a company with such unspirited individuals.

Jeez, and I thought BOFH was a joke

[Wah]

we've got some pretty vindictive folks around here. That being said I LOVE the idea of busting the people who make the rules first, even if it is a set up. Of course this would be as unethical in my mind as monitoring what people consider their private correspondence, but if you're willing to do that I don't see subscribing them to lists as any less ethical (poetic justice, if you will)

What to do

[ogren]

I had to deal with a slightly different matter, but also related to the privacy of e-mail in a corporate environment. Here's how I handled it.

1. Don't do anything without written instructions from the Head of HR and the Head of IT. Otherwise it will come back to haunt you. Besides it will usually make people back off. No one wants to be the one who's name is on the "snooping" order.
2. Politely say that you'll comply if you're given written instructions, but you don't agree with the decision.
3. Spread the word about what's going to happen a couple of days before it will happen. This will let everybody get any personal e-mails out of their mail stores, and will also allow the possibility of a grass roots revolt.

#1 tends to work very well. People tend to be afraid of getting called on the carpet later about privacy issues when word leaks out. Just make sure that when work leaks out that you have your personal butt covered.

Send out a reminder first.

[proboy256]

I think that I would ask HR to first distribute a reminder to the effect that ofice email is not private and that porn is not an acceptable use of company computing resources. Personally, this would help me feel better about this sort of privacy violation as I am of the same persuaion as you: I know that companies can legally do it but I question the ethics involved. It also removes the feel of snooping that reeks of poor management. I believe in the value of monitoring at-work behavior, however, I feel that to do so secretly is not acceptable.

--If we added up all of the 2 cents that Slashdot readers gave, I wonder how much sense vs. cents wed have.

joey

What do they hope to achieve?

[coyote-san]

While I agree that US companies have the right to perform such scans, unless privacy has been explicitly granted to employees, I would ask my boss for clarification of a pertinent question first.

What do they hope to achieve with this action?

As others have pointed out, individuals can *not* control what others send to them. Finding porn in an inbound mail box legally says absolutely nothing about the character or behavior of that person, and taking adverse action on the basis of it would almost certainly expose the company to legal action. (Consider an analogy to firing any employee who has a flyer under his windshield wiper while parked in a public lot!)

Depending upon how tightly your system is managed, even scanning user directories for pornography and taking subsequent actions can be legally risky. Did the individual download the file himself, or was he set up by an enemy within the company? If it's the latter, if the company takes adverse action it would appear they could be sued for wrongful termination, deflamation, slander and libel!

My advice is to either forget about scanning incoming mail, or simply filter all out such images. You can scan home directories for image files, but mail the user first with a reminder of your company policy regarding indecent material. Only take official notice if someone ignores the notice.

I know the HR department needs to be sensitive to sexual harassment issues in the workplace, but they also need to balance that with the very real penalties that are attached to overreacting. The classic cautionary tale is the individual fired for sexual harassment after repeating a storyline from Seinfeld ("Dolores!"). As I recall, he won a multi-million dollar judgement for wrongful termination.

Some industries *require* snooping

[coyote-san]

Before you get on your high moral hobby horse, remember that some industries *require* logging and reviewing all email and all other communications. Any stock broker, for instance, since it's required *by the industry itself* to ensure brokers aren't making statements they can't back up. (E.g., buy Microsoft, it's *guaranteed* to double again by April 2000 when W2K knocks Unix off of all servers!)

Even if the industry doesn't require monitoring, a company may be required to perform such monitoring by legal action which you're not aware of. E.g., the original poster's company may have been hit with a million dollar sexual harassment suit and the lawyers asked for information about what's in mailboxes as part of a discovery motion. If you, and all other sysadmins "with a backbone" refuse, your company can't comply with the court order and could face dire consequences.

Does this mean that a sysadmim should roll over and do whatever his boss asks, without question? Of course not. But part of knowing what it means to say "no" is understanding what it means to say "yes" -- and I've just listed two situations where no reasonable person can refuse to comply with the order.

Finally, don't assume you can always quit. If you refuse a reasonable order and "quit," your employer can still say you were "fired, for cause (insubordination and dereliction of duty)." If the objectionable order came from a single panicked HR person, the latter characterization couldn't stand much heat. If the objectionable order came from a court order, you better pray that your future employers never check with your previous employers.

Same in the US

[coyote-san]

Duh, in the US an employer can't scan through an employee's PERSONAL snail- or e-mail at will.

However the law presumes that the employee receives his personal mail (of all kinds) at home. Anything that the employee receives at work is presumed to be work related unless the company has formally stated otherwise.

This sounds like a minor point, but it's not. Less than a hundred years ago employers routinely monitored employee's activities (e.g., Ford Motor Company in the early part of this century was especially notorious), and they wouldn't have thought twice about firing an employee for receiving mail *at home* from an "undesirable" party. Today an employee has an extremely high expectation of privacy *at home*.

Let's keep this problem in perspective, okay?! How many people really, really need to send and receive personal e-mail from work instead of waiting until they go home (or go to a cybercafe at lunch)? How many people really, really need to download pornography at work?

"common carrier"

[coyote-san]

Common carrier status has nothing to do with it. CC status primarily protects the phone company, e.g., you can't name Ma Bell as a co-conspirator even if the murder is discussed over the phone. It only affects the public in that CC status requires service be offered to the public at a fixed, published tariff.

The right to monitor (record) the phone goes with whoever pays the bill. At home, you pay so you decide whether to tap yourself. At work, your employer pays and *they* decide whether to tap their own lines. If you want to make a private call, go use the public phone on the corner. (N.B., *you* pay for that pay phone call.) The presence of a PBX system is totally irrelevant.

Finally, the recordings several other people have mentioned is a courtesy (in most states and all interstate calls) to the *caller*, not to the employee.

Re:Been there, but didn't do it--here's how.

[coyote-san]

This is a management issue, not a technical one. You are a technician, not a manager.

I'm confused, this seriously undermines the rest of your argument. Technicians follow orders, they don't debate them and they certainly don't refuse to do them.

As an example, consider a technician at a Grease Monkey. What do you think would happen if he quietly refused to change the oil in a customer's car? Do you think his boss would simply ask the next one, or would they immediately fire his sorry ass? Do you think any future employer would care why he refused to change the oil?

I think sysadmins fall into a grey area between management and technicians. They aren't management, but management should listen to them when developing policies. If this objectionable policy already existed and was published, and the sysadmin didn't bother to complain about it before, then they'll get little sympathy if they object when it is time to actually enforce it. If this policy is new (or ad hoc) and management refuses to listen to their concerns, then quiting is much more defensible.

BOFH strikes again

[QuantumG]

Oh please.. The solution is simple, fake mail from inside the Human Resources department a few porn messages and hand them over to your superviser.. When nothing happens about it, make a stink saying that "You asked me to find the trueth and you have exploited your position in supressing this information".. Go on campains around the office stating how there are one rule for the human resources department and one rule for everyone else. Get a few innocent people fired and they will go ape shit and destroy the email scanning practices of the human resources department, probably with large court cases and grotesque amounts of money. The best thing about being a bastard operator from hell is that, after the initial fraud, you get to take the moral high ground and demand equality and privacy at the same time as delivering evidence of immoral behaviour.

These are not all my words I must say, I was majorly influenced by the BOFH expert in my office. Thanks Dave.

Re:France and Privacy

[JPS]

Oh well, I'm french, live in France, but think that France is a very nice place to live in, but NOT a nice country with respect to privacy. A few examples: a friend of mine works in a big bank and he told me not to send any bullshit in my email because they were all scanned.

Also, what about the 5000 illegal tappings performed by former president Mitterand himself?
And what about the recent discovery that Paris mayor Tiberi allegedly installed microphones in the offices of all his political opponents?

Why do you think that France waited so long before allowing strong encryption? Well, they waited until the economic loss due lack of encryption would be significant with respect to the fact that communications can't be tapped anymore.

Fighting the system (Add your tips here)

[Lucius+Lucanius]

Do you work in a lousy cubicle where you have no real work but have to tap the keys and pretend to be busy? Do you have a clueless boss who only tries to "keep you busy" but who doesn't (and can't) understand what you do?

Obviously, you need to do things to entertain yourself in a stealthy, yet entertaining manner.

What are the best techniques to fight back? (Add your hints, tips, and critiques).

1) A good monitor angle.

This is the best tactic against physical offensive maneuvers from management. The best angle is one which lets you see if someone is coming near you, but which obsures their view of your screen.

2) telnet.

Most places don't bother to monitor telnet. I was at a place that scanned web/e-mail. The first thing I did was login to my ISP's shell account. Once in telnet, I used lynx, irc, pine, etc. to spend the entire day in blissful entertainment. This is one of the best options left.

3) scripts - Really lousy employers count login times, keyboard hits, etc. Automate your work, or your work will make you an automaton.

4) Pre-emptive strikes.

If you have a manager who drops by too often, try going over to his cubicle to give an "update" before he comes by.

5) Easter eggs.

The one in Excel 95 has a DOOM like little game. Try playing it. fun for hours. Hit a key to go back to excel if someone comes by.

6) QBASIC/text based games.

All the usual games are too obtrusive and catch attention. Play a mud, do something in text mode.

Hmmm, that's all I can think of, and the Simpsons are on. Folks, add your own ideas.

Thx.
L.

PS - Oh, one more. Use rubber bands, binder clips, etc. to make funny, innovative devices.

France and Privacy

[gproux]

I think that there is a Law in France that forbids the employer to scan through personal mail be it snail- or e-mail.

If they do, they cannot use it as a proof for misconduct, they will be illegal and liable of Privacy Invasion and can be sued.

So come to France All!!!

Been there, but didn't do it--here's how.

[clintp]

How? I politely refused. I said, "I'm sorry, I cannot do that with a clear conscience." They may taunt, cajole, and threaten but keep repeating the mantra, "I'm sorry, I can't do this."

If you're valued enough, and good enough at your job this is not a problem. SAGE (SysAdmin Guild), IIRC, has some articles on this and what it boils down to is: nobody is forcing you to do anything. Refusal to do this is defensible. This is a management issue, not a technical one. You are a technician, not a manager.

Don't preach, don't condescend, and don't moralize. Simply and quietly refuse to do it. By not making a big stink about it you cost no-one any face. The first, second or third sysadmin that refuses to do this will make them reconsider, and not even bring the topic up in the future. Sing the company song and in every other way be a team player, just quietly refuse to do this one thing.

PS: Make very sure your own house is clean before you attempt this. If they do find anything remotely questionable in your mailbox, you'll be out in a heartbeat--with good reason.

What you should be looking for...

[Hobbex]

Pornography is not a big time waister, a couple of peeks to make a employees day better is likely to help both him and the company in the long run. Plus people work faster and better if they can releave some sexual tension every now and then.

If your company has anybody remotely techie you should start checking for slashdot instead. It takes lots of time, but gives very little sexual pleasure (sorry people :-) ).

The world needs to grow up...

-
/. is like a steer's horns, a point here, a point there and a lot of bull in between.

Electronic Communications Privacy Act of 1986

[Farce+Pest]

The above act is Public Law 99-508. You can find more information at http://thomas.loc.gov/. The relevant portion of the abstract reads:

"Amends the Federal criminal code to extend the prohibition against the unauthorized interception of communications to specified types of electronic communications. Prohibits unauthorized access to an electronic communications system in order to obtain or alter information contained in such system."

If anything, you could take the position that intercepting e-mail would violate the above act. It might at least buy you some time while your employer grumbles about lawyers.

I caught my employer reading my email

[pzil0cyb3]

I was in a dispute with one of the bosses, and we're an extremely small company and I had been writing my parents requesting help on an issue. After the day of this 'dispute' I have lost all trust for my employer and employers as a whole. My primary boss wrote me an e-mail that included a portion of an e-mail that I had sent to my dad. After I saw this, I felt rather violated.. not only did he get into my mail but he showed me that he did. Since then, other than losing the trust I had for him, I never use my work e-mail account anymore except for work purposes.

Regarding your issue, I think you should just do as you're told as far as "looking for porn" but if you find any, notify/warn the employees involved in a subtle manner while telling your employer that you didn't find anything... unless someone has excessive porn that you find bothersome and necessary to notify your employer....

Follow your guild's code of ethics

[Wookie+Athos]

(unless you disagree with it I guess :)

I would have expected to see a question like this directed to one of the sysadmin guilds you're probably a member of (what, you're not?). If you were a member of SAGE, you would be aware of the SAGE Code of Ethics. SAGE-AU has an equivalent code.

In the SAGE code it mentions:

System administrators will not exercise their special powers to access any private information other than when necessary to their role as system managers, and then only to the degree necessary to perform that role, while remaining within established site policies.

So, the bottom line: What do your organisation's policies allow?

The usual path for this sort of stuff is to get the managers in question to publish a policy (even if it's something as crappy as voicemail to all employees warning them of the policy and the consequences of breaching it). It often helps to provide a draft policy to get them started down a reasonable path.
Then your tasks are clearly defined. Without a published policy you and your managers are walking in a minefield.

Keep in mind that the published codes are there to protect you as much as anyone else. If a manager tries to force you to act against your principles you have a recourse. As a member of a guild you can point to the published code of ethics and say "sorry, I cannot do that". "And neither will any other ethical sysadmin".

Whatever you do, get your instructions from management in writing.

Fair Warning

[gavinhall]

Posted by polar_bear:

Unfortunately, legally the company has the right to do that - and I can't say that I think that anyone really has the RIGHT to be downloading porn on company time, either. If they ask to scan for something like content of email or something, that's fairly repulsive - but if they're asking to do a general scan for jpegs and whatnot, then simply ask that you're allowed to do a warning first, then scan a week later. If it's the first time that the company has tried to enforce a policy it wouldn't hurt to simply re-announce the policy and tell people to expect it to be enforced soon.

It's one thing for a company to check if you're downloading porn or something like that vs. a company saying anyone who's ever used company email for private use is going to be fired, or scanning content of email for comments about the boss or something.

Zonker

The law is irrelevant here

[JoeBuck]

Yes, companies can legally snoop all they want on their employees. They can also demand that everyone piss in a bottle once per day while the company doctor watches, sing the company song, etc. But only people with no talent or valuable skills should go along with such policies. In case you haven't noticed, we are currently in a sellers' market for technical talent.

If you are a sysadmin at a company that demands that you snoop through peoples' mail, and you feel that this violates your ethics, don't go along, and, if necessary, leave. Explain to your employer that, while you agree that it is legal, you feel that it is unethical and you will not participate.

The only reasons companies can force you to put up with this crap is because too many employees don't have any backbone. The reason for respecting employees' privacy is because it is the right thing to do. Exceptions should be made for people who aren't getting the job done.

Scan HR's mailboxes

[demi]

Just scan HR's mailboxes, and carefully. Heck, put them on some porn spam lists and allow them to see the folly of their ways.

Web Serfs

[MadAhab]

The problem with this theory is that corporations have more rights than people.

If you want privacy go get a hotmail account

And that's not private either (egregious security holes aside), since it's the corporation's data pipe, so watch what you say, Ashley.

This kind of slave attitude is responsible for a long slow slide back into feudalism. "Hey, Lord Bumsenfock is all that stands between you and the Tartars, and this is his land, so actually he does have the right to steal your food, kill your son, and deflower your daughter." There is no logic and no honor in this.

Between bootlicking nonsense and creationism, I'm terrified of how Americans are rushing back to the dark ages.

Phone calls vs. E-mail

[Lucius+Lucanius]

Here's the deal: Phone calls cannot be monitored because the phone line is considered a "common carrier" and thus not the property of the company. E-mail and files on your PC, on the other hand, are company property, so they are legally allowed to be searched. Having said that, the crux of the matter is - because a company CAN do it, doesn't mean it SHOULD. Many companies can legally set up cameras in rest rooms. Some do so(there was even a law suit, I think), but for obvious reasons, this is a despicable practice. Similarly, your manager can legally open all your drawers after you leave work, and shuffle through your papers to see if you have a copy of Playboy in there. But how many of you would want to work in a place like that? The bigger issue is this - what exactly does a company achieve by resorting to petty monitoring, other than ruining its own culture and terrifying its employees? Just imagine the massive amount of HR resources spent on this. If someone uses their company time to browse porn, it falls under the category of "Obvious No -No Activity". A company does not install cameras in the restroom to see if its employees are jacking off there. Nor does it hire Cubicle Inspectors to walk around peering over shoulders every 5 minutes to see if someone is working (though clueless managers perform this function adequately) . We rely on common sense and mutual trust in the work place to deal with these things. I am not sure why porn is any different. Obviously we don't try to monitor people who keep playboy (the paper variety) in their drawer. History-repeats-itself Dept: An old article in InfoWorld has a programmer relating a story of the old days when printers started becoming commonplace. Combined with FORTRAN, programmers actually started writing programs to print naked women on a *dot matrix* printer. (One can only imagine how desperate they must - if you've seen a dot matrix printout.) Managers promptly had meetings to resolve the "printer/FORTRAN misuse" issue. Well, it may seem laughable now, but remember - whenever a new technology comes along, this happens. Those who "get it" embrace the potential and use it in powerful and innovative ways. Those who don't get it crack down on those who do. For obvious reasons, HR people belong to the latter category. I'm surprised a Microsoft employee is in there too. ;) BTW, "vidi vici veni" is an ancient quip, kinda like the "what is mind, doesn't matter...." joke. Oh, one more note about the phone vs. email privacy. In some states, phone lines with *extensions* can be monitored legally by the employer, since they claim the extension and PBX equipment, etc., is the property of the company. This is a grey area and there have been lawsuits about this. I believe voice mail is totally the property of the company, legally speaking. Ultimately, privacy in the work place is a cultural issue. Any company which deals with sensitivity towards the employees is doing the right thing. Any company which pisses off 10000 people to find the 1 person who looks at porn, probably is out of touch with the way the world is moving. BTW, what is the policy at companies like Microsoft, IBM, Sun, Yahoo, etc? L.

No, that's a bad attitude

[Wah]

Sorry, I totally disagree, not with the fact that the company owns it (to dispute that is idiocy) but that they *should* or its *right* to spy on their employees.

I read an article yesterday from the WSJ about the practices of Herb Kelleher the wacko CEO from Southwest Airlines. When asked why his company did so well (26 straight years of profitability) he said basically because all of their employees bust their ass at work. Why? Because they love their job. Why? 'Cause they don't have to be stuck up or put up with too much stupid bullshit and are allowed to act like people not drones. Have you ever had someone sing you the safety procedures like Elvis? I did, on Southwest, flying into Memphis.
With the way businesses have to move these days (Service, service, service, it's too easy to change providers) having happy, well-adjusted, comfortable employees is beyond measure. Having scared, paranoid (because they receive a diry joke on e-mail, god forbid), and boring employees leads to that type of company.
Basically my point is that employees are there to get their work done, beyond that stay off their case.
All of this is a big reason why I chose to start my career outside of the corporate environment. I like being told and telling off-color jokes, 'cause they are just that much funnier.

(BTW the notebook example was much more accurate than your handkerchief one)