Slashdot Mirror
Ask Slashdot: Privacy in the Workplace
redactor asks: "I work as a sysadmin for a rather large corporation. The Human Resources department has gone on a witch-hunt, and wants me to start scanning user's email for porn. I know there have been some legal battles with this in the past. The company policy is that all data on company computers is property of the company, NOT the user, but I personally value privacy, and am refusing to do this unless it means loosing my job. How have other sysadmins been handling this?" Actually, since it's the office network, I really don't believe it's a voilation of privacy (unless said privacy was explicitly given...most workplaces don't make this guarantee).
You have got to be kidding! What happens to the guy who's wife emails him about the great time she is going to give him tonight and it ends up in some manager's (who happens to be very christian) email box? How will you feel when that manager takes it upon himself to cause as much trouble for the "Godless heathen" as possible?
Any "scan all email" approach is an invasion of privacy and is on slippery footing because the SENDERS are not and can not be notified in advance. Anyone who has given out their work email address so that freinds or relatives can contact them has then opened themselves up to having their email sent to whomever monitors it, and possibly being disiplined because of what someone else sent!
What happens when one employee sends a message to another employee that says, "I fucking hate manager X"? If the script trigers on fucking this non-sexual, work related email ends up in the "monitor's" email box. There is simply no way to write a script that will trigger ONLY on valid "Pornography".
Legally a company MAY have the right to look through employee's email boxes. Morality always depends on your point of view. It varies from place to place and time period to time period. What typically leads the way is the precidents that are set. In other words, whatever you do now will have profound effects on the future.
The thing to remember here is whatever happens will also apply to you, and do you want a "Private" email from your spouse, or significant other(s) being read by the "Monitor"??
As an email admin for a large company, I can tell you that if this issue came to me, I would refuse to cooperate in any way. If it came to the point where it was an order, or they were going to bring in someone else to do it, my resume would be in the hand of Headhunters and on job boards almost immediately. In today's job market, the employee has more leverage then normal. If enough people insist on privacy, corperate america will listen. The one thing I would do before sending out my resume would be sending an email to all the employees informing them that their email was going to be scanned.
I would caution you against saying that you had done it when you had not, or faking the results. These actions could end you personally on the end of a harassment lawsuit (because you covered it up), and make things much worse for the company in the event of a lawsuit (a conspiracy to allow harassment).
Here's some interesting questions to ask anyone requesting email/web scanning:
1. When are we going to start monitoring phone conversations and voice mail to make sure it is work related?
2. When are we going to start searching employee's as they enter the building to make sure they are not bringing in Porn or non-work related materials?
3. When are we going to install the microphones in all areas of the building to make sure no employees are flirting or having non-work related conversations?
4. When are we going to install the cameras in peoples offices to make sure they are only doing work?
5. When are we going to start neutering employee's so that they don't ever get arrosed?
6. When are we going to start monitoring employee's minds to make sure that they only think about work?
and maybe most importantly:
7. Who is the "MONITOR"?
Ben Johnson
But how about this, ask HR 'What is porn?', and how can my scanning scripts identify it?
Searching email manually for a large corp is out of the question. And what do your scripts look for. Dirty words? How many dirty words constitues porn? One? A hundred? Ask for a list of dirty words. Ask them to read the mail that your script flags (you can even have your script flag alot of totally innocent mail just to give them more work to do). Ask them to view all the binaries. In short, you can find a lot of work and unanswered questions to hand back to HR. Let them shoulder the burden. Hopefully they'll sicken of it and find some other useless project to justify their existance.
I read WWW during work all the time; a co-worker of mine uses IRC several hours per day during work -- so far, nothing has happened.
(Porn, of course, is a different matter. Not only do you use company property for private affairs, but you are potentially damaging the company's prestige.)
My boss told me the other day that, if an employee gets fired for surfing or having private phone calls, this will probably not have been the only reason he got fired. Probably, this will be just the good, justifiable reason HR has been waiting for because they wanted to close down your department anyhow or whatever.
The answer is probably: yes, they can snoop on email, yes they can force you to do it, and so you probably should. But I'd put it as a fifth priority, something like 1) making sure your computer works 2) making sure the network works 3) making sure other users' computers work 4) download porn yourself 5) check to see that other people aren't.
As a security consultant for large companies and a big fan of personal privacy I have had HR or some other entity ask me to do this as well. My suggestion is to: 1: Get the request in writing from HR to cover your ass. 2. Be sure that your superior is aware of this request and agrees with HR's approach. 3. Recommend to HR that they send out a company wide email/memo re-stating the companies policies relating to personal use of the companies IT infrastructure about a week before you do the scan. If the company has no documented policy on personal use of corporate IT recommend that they get one published first otherwise if you do find something it will be pretty much useless as reason for discipline. mystik@ix.netcom.com
So if a movie (with live actors) shows a woman being raped or a child (real child actor) being graphically killed, this is allowed because it it not harmful to children. But drawing pedophillic scenes involving people who never even existed is somehow ok. I'm confused. Why is a ficticious portrayal of one crime againse a child acceptable to the public but not another, esp when the latter doesn't even involve children in any way.
I think the problem is that as CG and technology make fake child porn look more real. Cops raiding someone's stash will, sooner or later, be UNABLE to tell if a tape contains real child porn (illegal) or perfect, indistinguisably life-like CG child PORN (legal). Rather than having to worry about the diff, it's easier to just ban it all right, even if it does trample of freedeom of speech and of the press. In what way can free expression utilizing pencil and paper get me jailed? Up 'til now, the anyway the answer was not in any way. You DON'T see a dangerous slippery slope starting here?
Having been root at two of the largest Internet providers in the world, I've had a good deal of experience with being big brother. Although I have not been put in position the orignal poster is now in, I have formed, and suggest that all sys admins must form, an ethical schema with which to work by which would guide me in such a situation. In this case, I would let the company know that scanning others email for pornographic content violates my ethics and would request they put the task to someone else. If it appeared I would be fired for non-cooperation, I would move on. Although painfull in the short run, I'm damn sure hindsight would show I had made the correct decision. JowBuck is right on with this statement of a companies need to offer some level of privacy to an employee out of respect. Companies who respect their employess enough to not invade their electionic communications do exist! I currently work for such a company. I suggest that any of you who feel your ethics are being violated by your current employer move on to a place worthy of your talents. - Dumas
I value privacy as much as the next guy, but when did it become a "right" to download porn at work? If the company paid for the network equipment, computers, and the access, then they have the right to restrict their network as they see fit. How would you like people bogging down a network YOU pay for. I stick to business related stuff at work (and reading slashdot :), and do the personal e-mails and stuff at home. Finkployd
Agreed.
In Elizabethan english,
Ah, here's the problem. Go back further to middle or old English.
there was both a familiar and a formal version of the second person singular pronoun. The familar version was "thou" or "thee" Thou as the subject of a sentence: "thou hast a chicken on thy head", and thee as the object: "I despise thee." Neither of these words were every written with a thorn.
Wrong. Check out this university explanation of the thorn and see it used in 'the' and 'thou'. Or go read Beowulf in the original Old English. Besices the thorn English once used the eth (The unvoiced 'th' sound line in 'thought'), the asc or ash (the joined ae ligature still occasionally seen [today!] in words like encyclopaedia.), and the yogh (resembling a descended 3 with a flat top). People have such static concepts of the English alphabet and think if never changed. Heck, J and V and W are all fairly NEW additiona to the alphabet. Since ae is still used today, how many letters does the English alphabet really have again?
Probably the best way to keep your integrity & your job is to give everyone fair warning that you are being required to scan the network for pornography before doing it. People will clean their dirty laundry & your company will have a porn-free network. (And anybody who gets caught after such a warning is such a moron that they deserve it.)
If your managers have told you to do the scan secretly, because they are on a power-trip & want to "catch" as many of their employees as they can, then I'd probably follow the advice of some of the other posters & falsify the results (no porn found sir!) & start looking for a job at another company with more rational people in charge.
Aye I agree it's perfectly logical from a legal standpoint. But we are human beings and have certain beliefs, which we hold on to rather strongly(depending on our character). The decision to allow email porn(or not) is another belief(most likely the tip of the iceberg regarding employee privacy). The company is trying to force it's puritan beliefs down the throats of it's employees. Scanning for email pr0n is anal suspicion that their puritan values are not being respected by the employees. As long as the work gets done, I say they should keep the fuck out of peoples business. There's a fine line between "enforcing comany policy" and trying to own someones soul. And if your comapany is like most, ownership of the employees souls is nearly a complete process anyway. The pr0n and other "issues" are simply small outbursts of freedom companies feel compelled to crush so the soul ownership can be complete. I say pretend to go along with the policy for as long as you can and be looking for a new job in the meantime. I sense a bad case of hostile management out there. The only way we can cure them is by leaving them.
As a sysadmin you have the power to read the emails of your users in order to solve e-mail problems (routing, attachments, size, etc...).
You cannot use this information to "prosecute"/fire/kill/etc your users *UNLESS* you have directly given to them a warning that the emails are monitored, i.e. in the MOTD of the mail server if they have shell accounts, or a company memo sent to everyone on paper (not on email, natch), or even better: a signed letter back from each user.
Ask the company lawyer about this. At the very worst it will delay your scan when you tell your boss "There are some legal issues, so I am checking with the company lawyer". With any luck, you will be told to forget about it.
Q-Bert
Who gets hurt when an artist creates pornography? The same kind of people who get hurt when someone yells "Fire" in a theater, or when someone creates hate literature calling for genocide and racial/ethnical cleansing. Madison Avenue makes billions every year because literature, art and media cause behavioral changes. Pretending that the expression of ideas does not have a causal relationship is IMHO, either naive or generally self-serving. The courts in the United States have made corporations legally responsible for the "free expression" of their employees when the employees are using company resources or on company property. Free expression doesn't mean you have the right morally, ethically or legally to use someone else's resources to create or distribute that expression.
I find that scanning the manager requesting the scans, and including that in the report, and sending a copy to the IS director (as justification for all that scanning time) is effective in cutting the volume and frequency of requests :-). If you suggest that to your IS managemnt, they might take you up on it (as a cost control measure, of course).
Also, suggest to HR that they should be more interested in private business deals, stock trading, coupon trading, pyramid schemes and so on. Non-business use of email is hardly ever about porn, in my experience, since most of the porn is more easily available through HTTP. Most of the sexy hits I found were spams, and we don't prosecute for mail received, unless we can show that it was solicited...
This isn't about censorship. It is about the rights of property owners. At the office, the company owns the computers, the hard drives, the network, and the internet connection. An owner should be allowed to make the rules about how his/her property is used by his employees. Don't like the rules, exercise your God given right to tell the owners "Take this job and shove it" otherwise you agreed to the pay scale and policies when you agreed to take the job.
Better yet, send some porn from an anon site to the pinhead who wants this scanning done. Then pick him out as one of the culprets and get him fired.
Personally, as a sysadmin, I would not scan everyone's mail for porn, or religion, or anything without ensuring everyone knew it would be done. The trust of all your users in you rests in two things: "I could read you mail but I don't" and "If I do happen to see your mail, like when you have problems reading it, I do _not_ tell anyone else what's in it". Once you lose it, it's gone forever. If your users know what's going on, they can't consider it as you abusing your authority without them knowing. And if they know the company is doing something that just doesn't work, isn't fair, and basing the treatment of employees on it, they might well vote with their feet.
It's practically impossible to scan for porn, or religion, or Monty Python references, or anything else complex. Your company's policy is deeply flawed if they think it is, and it's up to you as a professional person to educate them about what is and is not possible. For example, ask them to define 'porn' in such a way that a machine can scan for it. Then ask them to define, say, "company sensitive information" and similar things.
IMHO - good luck settling this to everyone's satisfaction.
Nicolai
I kept thinking "What does this have to do with glib? And shouldn't that be glib2.1?"
I need to get out more...
Gee, all you really have to do is scan for 25 megabyte files... Oh, waitaminute - that's a two word attachment in Word for windows. Uh... never mind.
Mark Edwards
Proof of Sanity Forged Upon Request
Though that used to be the case, France has recently loosened its crypto restrictions. IIRC, they now allow up to 128 bit private key crypto.
Alex Bischoff
---
Alex Bischoff
HTML/CSS coder for hire
As for losing trust for every employer -- don't. There are plenty of decent people out there who know how to treat other human beings in such a way that they are both respectful of and productive for them. (Hint: It involves treating them as human beings.)
- A.P.
--
"One World, one Web, one Program" - Microsoft promotional ad
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
Go ahead and "find" porn..in the VP of Human Resources mailbox. Make sure it comes from an outside source...and then see how quickly the Witch-hunt dies.
It has worked elsewhere...
ttyl
Farrell
CAN-CON 2019 - Ottawa's only book oriented Science Fiction Convention! October 18-20, Sheraton Hotel, Ottawa, Canada h
Posted by polar_bear:
You are a person of conviction and honor - I respect that. Too damn bad you're likely to be jobless with those qualities. Speaking out about or refusing to enforce company policy is a very fast way to find yourself out of a job - I know. I got fired once for loudly protesting a random drug testing policy. I'd do it again, but this time I'd have more $ in the bank before I did it... Zonker
privacy is an illusion and, clearly, you are hallucinating.
please, share whatever it is that you're on -- i haven't been that out of touch since they last cracked RSA . . .
Best Regards, mds
No one said it was a productivity issue. Try a sexual harrasment issue, remember pornagraphy in the work place is a public offence even if it isn't public. I think that might be more the legal issue described above.^ ~
^~~^~^^~~^~^~^~^^~^^~^~^~~^^^~^^~~^~~~^~~
...
You've got to be kidding if you think this is an invasion of privacy. When you started working there they told you about using corporate equipment for things. There is a degree of trust and respect, you call your wife from work and talk to her about dinner or weekend plans. You send emails to your friends from time to time. Porn is a perfectly reasonable place to draw that line, it can be sexual harassment, and it can invade the privacy of people who accidentally see it.
The alternative is to start your own company, buy your own hardware, hire your own people and the let them do whatever they want. And then deal with the work place harassment suit when a female employee sues you. We're talking about the bottom level of professionalism here, we're not talking about peering into people's private lives. If you want to view porn then do it privately, not in your place of business.
The irony of all this is, English has lost it's previous third-person plural: "thou", for "you", which is both plural and singular, which has the potential for confusion.
Yet, when folks in the South try to remedy this situation by using "y'all", to overcome an obvious deficiency in our language (lack of clear distinction between third-person singular and third-person plural), they come off sounding uneducated/rural/provincial.
"The number of suckers born each minute doubles every 18 months."
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
heh, my 11 year old son got in trouble at school because he got email from a freind of his at another school, she was emailing around dirty jokes.
Fortunately, the school administration understood when the situation was explained to them, and so backed off, after we promised that the sender would be spoken to, and punished. (no email for a month).
Now his freind just sends annoying chain letters, and still hasn't learned that Bill Gates is not going to show up on her doorstep with a Disney vacation, a truckload of M&Ms, and 12 juvenile cancer patients that are cured now that she mailed her junk to 20, not 19 of her friends.
"The number of suckers born each minute doubles every 18 months."
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
As a general rule of thumb, in America, if it interferes with the company making more money, it isn't permitted.
"The number of suckers born each minute doubles every 18 months."
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
if only I had a T1 line at home. I can get as much porn in 1 hour at work as I can in 5 hours of surfing at home over my 56k modem.
(example provided as sarcasm, and to illustrate a point - personally I fear my company because I'm aware of their policy, that it's their equipment, and I'm a good little worker)
"The number of suckers born each minute doubles every 18 months."
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
did you find that out the hard way?
"The number of suckers born each minute doubles every 18 months."
These are my friends, See how they glisten. See this one shine, how he smiles in the light.
At my job, my boss emails me links to the best Slashdot stories.
I guess that's the advantage of working at a cosy startup.
--
Marc A. Lepage
Software Developer
Needless to say, the only filthy things that arrive via email tend to be ads for web sites. Thats all I get and I get WAY too much of it. I would think that those scans would yield endless garbage.
I feel there is nothing wrong with doing this as long as everyone knows. At my father's firm (large construction firm, very conservative), all mail is opened and checked out by the president. When my parents went through a divorce, my dad would talk to the lawyer who was sending faxes 15 sec before he did to make sure he was the one who got it. To prevent office gossip. I find very little wrong with this. Work is work and just that.
Now, I read slashdot, salon, and a few other things every day from work. I take my break time and split it up.
I think that everyone should know about monitoring policies and should deal with it themselves. If you want a personal email, get an account somewhere else.
"We Came, We Saw, We kicked some ass!"
Sorry, slipped into Bill Murray mode for a minute....
First off, IANAL. Now, here is what the law says.
;). These guidelines do not apply in all cases. We will get to consent later on.
This is still a gray area; no case has yet to reach the Supream Court (that I know of) that has provided us an answer. However, the Electronic Communications Privacy Act of 1986 does provide some context (Title 18 of USC, go look up the section for yourself, you can expect me to remeber everything. Chapter II of the ECPA adds to Title 18). And recent state and lower level decisions also give some level of protection to both the Company and the Person.
The ECPA deals mostly with government behavior and monitoring, but it does not exempt the Company from its regulations. There are two areas that are closely related to the Company-Person relationship: (1) where the provider of the comminication service is allowed to monitor the communication and (2) where the monitoring is done in the normal course of business.
The first issue allows the Company to monitor services that it provides. A phone is considered a "common carrier" and is thus protected, however a successful defense had been made in the case where the phone is an extension and the company owns the PBX. The same protection is granted to mail since it is carried by the USPS. However the Company is allowed to search voice mail. Email is also monitorable since it is a service provided by the company (however this obviously does not extend to the idea if you telnet out and read your email on a non-Company machine. The Company would be allowed to monitor your telnet session, but not your email. This is what we have ssh for
The second issue is rather broad. It provides a delineation between business and person communication and implies that business only communication may be monitored. It also provides a defense for excessive targeted monitoring. There has already been successful litigation of this type. (In California, I think) An employee sued his employer for monitoring his phone for 24 hours straight to determine if he was attempting a robbery.
Consent is a very important issue. "Implied consent" is not valid to allow communication monitoring. The courts have held a very hight standard for this. There is one clear case where the company provides an "expectation of privacy" and then violates this. An expectaion of privacy can be anything from explicitly saying that there will be no monitoring to not specifying a policy (yes, that means by default you have an expectation of privacy). The more blurred case, but still non-monitorable is when the Company say the the Employee may be monitored. This does not give consent for monitoring.
The bottom line for a company to be completely safe is to provide a clear policy stating that the person *will* be monitored. The company should not try to monitor what they do not own. The company should only monitor business related communication.
-jason
Empty vodka bottles in the HR luser's wastebasket and letting the office gossip 'accidentally' overhear your concern about seeing them there (s'why the hard-core alkys drink vodka, can't smell it on their breath...who'd a thought it) should help with this. BOFH suggested Nyquil, but it's easier to get your bartender friend to pass you a couple of empty bottles of Stoli.
One or two snail mail subscriptions to fetish mags delivered to the witch hunter at work should get the mailroom people talking too.
Jack
character assassin
http://www.usenix.org/sage/publications/code_of_et hics.html
This is a wonderful example of an ethical code for Systems Admins. The third paragraph of Canon 1 is especially apt in this instance. It boils down to 'A sysadmin should follow the policies given by the company as law, but should attempt to properly see those laws changed when needed'. UNTIL the policies of the network are changed, the sysadmin should follow them, or explain in writing why s/he believes there may be an issue with the way they are to be carried out. Then, the Systems Admin must make a choice on whether to enforce the company policies until they are changed or refuse at the risk of his/her job. S/he should explain fully in writing the reasoning behind and state EXPLICITLY why and how s/he believe this violates his/her code of ethics, either personally or professionally. That way, if the systems admin does lose his/her position, at his/her next post that systems admin can reference this ethical conflict and back it up with a written statement.
Seems logical that if you have email access, then you have icq access.
Not really. It's rather easy for a firewall to block ICQ. They did it at my old job. Although they never were able to completely block AIM (can choose a random port).
Although I do have to agree that SOME form of chat software would work a lot better. Of course encrypted e-mail, or at least offsite mail would be the best recourse. I personally ssh into my machine at home, and I can get my mail from there.
Phone calls cannot be monitored because the phone line is considered a "common carrier" and thus not the property of the company.
Wrong!
In the EC within the last month, laws have been drafted to make it mandatory for companies over a certain size to provide unmonitored payphones in an area of privacy. All to do with a legal precident set by some office worker who claimed the company was acting unfairly by not allowing her to 'phone her doctor or something.
IMHO that's a good balance. You can't make personal calls on company extensions, but you do have access to unmonitored payphones in a booth.
It's only a matter of time before this also applies to email here in the EC. British Telecom are already trialling 2,000 email pay booths at train stations and post offices.
--
Andrew Oakley - www.aoakley.com
Why has the post "But when is child porn not child porn" been down-moderated!?!? It was a reasonably well written post bringing up an interesting issue it didn't even contain anything abusive.
I always thought moderation on slashdot was supposed to kill "me too" or "first post" type posts and elevate paticularly good points not suppress interesting posts
Marriage is the "pseudo-ethics" that cloaks the messy truth of sexuality in the raiment of propriety -- it's "Don't Ask,
Some of you may scoff at the seriousness of porn in the workplace, but I don't think some of you realize the legal liability this poses in American companies. There are many people who would consider the person viewing porn in the cubicle next to them a form of sexual harrasment, and would gladly sue their employer for not putting and end to it. So not only does this cause lost productivity, but it's also a lawsuit waiting to happen.
It may not seem really ethical to search through *everyone's* email, looking for the few that abuse the system. But it's likely that your company is not using you in some twisted ultra right-wing Nazi sex hunt, but are just trying to cover their butts from the lawyers. I would help them out.
(Minor point for any fellow New Zealanders - i read a legal opinion recently that said that inspecting employee email violated the Privacy Act, EVEN when the employer provides the email access.)
Strategy one.
Point out that it is impractical to scan encoded attachments, especially if they are images.
Point out that users have no control over incoming unsolicted email. Point out that "unsolicited" is tricky to define.
Point out that filtering on keywords is a doomed enterprise. You won't be getting any mail from Scunthorpe, for a start.
Point out that the resource required to implement monitoring could be better spent in improving the workplace in other ways.
Find out the goal. Is it to prevent people goofing off? Is it to forestall harassment lawsuits? Is it control your bandwidth consumption? In the first case, give people meaningful work to do. In the second, educate the legal people to understand how this is outside the effective control of the company. In the third, bill people for email based on your server logs.
Write a 50 page cost-benefit analysis.
Strategy two:
Agree. Tell them that you'll be happy to start as soon as you have a $FAVOURITE_MEGABUCK_SERVER_PLATFORM to cope with the expected server load. Aim high.
Tell them that they would need to hire another 4 sys-admin's to read every single mail and view every single website that is used just to track the users - don't use a technology solution at all, and make it very, very, expensive to snoop on the users.
How is one supposed to decide what is pornography without viewing it oneself? By viewing it, one immediately violates company policy or the law, and should (by that same policy) be dismissed.
It seems reasonable to this author that one can refuse, on the grounds that the company is expecting the sysadmin to view material that is either distasteful or illegal. No company can expect its employees to break the law to further company business.
It is too easy to get into casuistry, or specious arguments, here. There are legal definitions of what constitutes pornography, so the philosophical question "What is art?" may not apply here. But the corporation should be clear on where the boundaries of its rules and legal rules lie.
I have to agree with this.
Assuming I was not being watched over my shoulder, I would delete anything I found that was worthy for HR to fire someone over, but not something truly moraly offensive (eg kiddy-pr0n). Perhaps I would send them a "big brother/guardian angel" message, to scare the witts out of them.
Of course, not to raise any eyebrows, I would turn in a couple people that did things that couldnt get them fired (like that one guy who is subscribed to EVERY joke list on the net, and insists on sending it to everyone in the company, and maybe the person who had to CC the starwars trailer to 30 people vs putting it on a webserver)
Of course, this is my humble opinion.
:-)
Enjoy,
Mike
Just ratting out the people who annoy me, like any good bastard operator from hell... Perhaps they should have little "accidents". Hmmmm
*EVIL GRIN*
And now for something completly diffrent...
Mike
(Nothing I say should be taken seriously, as it may cause mental damage)
... but I LOVE the phrase "gentle fascist approach".
-- Arm yourself when the Frog God smiles.
Does the fact that he can't download any child porn off the net to jerk off to mean that your neighbor will molest your boy looking for his high?
his ? whats this his business? perhaps a large slice of sexual offenders are male, but NOT ALL.
P-plate adventurer
Now, while I admit I've had my fun scanning user directories for images, we never actually do anything with them. The admins around here believed that we were like confessors or doctors - we knew what you were really doing, but it's our job to be discreet. It's part of my job to manage the disk space allocations around here and when a group is whining for more disk space while maintaining 400M of porn, well, I'd be remiss in not clearing up that situation. It's my job to know what is on my network and allocate those resources to the best of my ability. Games and porn on our network are not the best allocation of scarce resources, but they usually get ignored until some idiot forces us to step in and put the smackdown on them.
With the proper gifsniffer, you can have hours of amusement seeing how users hide these things. One guy had them all named *.o and *.c; looked like one big code release. Made the mistake leaving an index README file in there, since I didn't recognize the 'package' name and I was curious as to what code was worth him going over quota. I usually just point out to them that they are over quota and here are some directories that would be good candidates for deletion (or archiving to home) - you do it, or I will in two days.
We've had users waste my precious time asking for file restores on their porn. This usually results in the deletion of all their porn and a nasty note. We've also had a user clog to unusability an ISDN link to a remote office with porn. He got a serious spanking for that one, I believe.
-- Raven
This is unbelievabe! Just five minutes ago I read this on rec.bicycle.misc:
Makes me think of my favorite quote from Hunter Thompson -- "Faster, ever faster, until the thrill of speed blots out the fear of death..."
--
Fuck the system? Nah, you might catch something.
While I can certainly understand the management's fear of sexual harassment suits, let's ignore that for the moment and concentrate on the misuse of company time and resources. Again, I must ask: why single out pornography? Jokes, slashdot, warez, mp3's and a host of other material are not fundamentally different from pornography in any way that I'd consider relevant. Can you rightly consider ten minutes wasted on porn to be worse than ten minutes wasted on "tech support callers from hell"? I say you can't.
Your employers seem generous and reasonable people, but for them to want to decide what is and isn't ok for you to view based on their opinions rather diminishes the quality of their character in my eyes.
--
Fuck the system? Nah, you might catch something.
I can understand HR being upset about eployees wasting company time. What I can't quite grasp is why they care whether it's wasted on porn or on, say, poetry.
--
Fuck the system? Nah, you might catch something.
French law damn well better protect your mail, since you're not allowed to do it yourself (encryption is banned).
--
Fuck the system? Nah, you might catch something.
You should start monitoring the email of the executives' that want you to do this. You could probably find some juicy bits and blackmail them into letting you not monitor the email.
Actually this bring up a good point that wasn't mentioned. HR alone really does not have the authority to unilaterally and arbitrarily have the network scanned for porn if it hasn't been before. This sort of order should come from above HR, and be OK'd with legal, and all sort of other things before it even gets to the IT person. I get the feeling this hasn't happened, and HR is requesting without any authorization from the higher ups.
There is no question about the legality of scanning the email accounts. The system belongs to the employer and they have the right to scan it.
The larger question here is the moral one. Should you violate the users privacy and possibly cost someone their job by implementing a policy you personally disagree with?
Personally Id suggest to HR an unofficial scan first with warnings to anyone identified. Then implement the policy officially. Failing that I'd walk.
I started with nothing and I still have most of it.
This is crazed! A sysadmin is someone who has responsibility to see to it that her/his network is not being used in a manner that could lead to harrasment lawsuits, and the passing of pornography can do exactly that. And then to lie to the employer about it is asking for trouble, let alone tipping off the offender!
I'm a sysadmin, too. And yes, I've looked at a fair share of porn, some of which would be considered in extremely poor taste, perhaps, but never on company time and never on the company wire.
The company the writer works for has a right (in the US) to protect itself from litigation, and if that means preventing someone from collecting and transmitting porn over the company owned network, then it is incumbent on the sysadmin to assist in that defense. A well-written internet policy should be in place to protect the sysadmin as well as the company, and it should be clearly understood by the other employees that they can expect monitoring... and take their chances, if they violate the policy.
Who the hell sends porn through e-mail anyway? If they really want to catch abuse of company resources, scanning NNTP and HTTP access would be the place to look.
About the only thing you're going to find in people's mailboxes is a bunch of pornographic spam that they haven't deleted yet.
Based on the zebra.net address, I'd say Alabama, which is very US (well, as long as you don't ask anyone on the wrong side of the Mason-Dixon :)
Various ramblings
If you are snooping in on someone's e-mail without their knowledge, there could be serious backlash. Case law will probably follow the use of the telephone at the workplace as an example, and you can't listen to someone else's phone conversation without letting them know.
It's their e-mail, and it's their phone, but it's still your privacy.
neo
If you are snooping in on someone's e-mail without their knowledge, there could be serious backlash. Case law will probably follow the use of the telephone at the workplace as an example, and you can't listen to someone else's phone conversation without letting them know.
It's their e-mail, and it's their phone, but it's still your privacy. neo
I personally refuse to write "him/her" ever. Why? Because it restricts language.
More importantly, it is simply grammatically incorrect. Why butcher the English language for the sake of being politically correct?
Jason.
But many states (FL, NV, others) have already outlawed the production, import, and sale of such media.
It is the same here in Canada, too.
In fact, it is worse and much more twisted than that. The age of consent in Canada is 14. However, the depiction of anyone under 18 in a sexual act is considered child pornography. This means I can legally have sex with a 14-year-old, but if I write about it in my diary, I am, according to the law, in possession of child pornography.
Orwell wasn't too far off. This next step -- and it's not a very big one -- is the Thought Police. It scares the hell out of me.
Forgive the offtopicness of this post, but I couldn't resist the rant.
Cheers,
Jason.
It sounds like you've just been issued with a blanket statement 'you must scan all email for porn'. Get them to clarify.
Do they mean 'scan all email for pornographic images'? That'll be hard. Ask them for a list of all filenames that are pornographic images. Or a list of key words that aren't allowed in file names. Then email someone a picture of the lovely English town of Scunthorpe.
I honestly dont see how its practical, without some sort of tool for recognising large amounts of flesh-tones in images. Maybe such a thing exists, but anyway, you go tell the suits you need more information. Write them a long memo.
Baz
The thing that I can't believe is that people when they are at work can't get by without checking porn!
I mean, jerk off or something in the morning and then at night. Cruise the porn from your home machine! Get some self-control! If you are that bored at work that you need to surf porn, maybe you should ask for more work? Or maybe find another job?
I'm totally serious with this one! I can't believe that people can't control themselves enough to not surf porn from work. Or that they feel the need to use company e-mail to send porn to all their buds!
Let's get real here. If you want to send porn e-mail from work, use a web based e-mail system or telnet to your home machine or something! If you want to browse porn and jerk off at your desk, well prepare to be fired, stupid!
I can understand if you are one of those programmers that works 15 hours and doesn't get home except to sleep. Hell, porn should be distributed by the company for those sorry SOB's, but for you 8-10 hour schmoes (including me) what is your excuse?!
For the guy that is the sysadmin, I say, if you have the policy in place, no porn at work. Then don't feel bad that these people are stupid enough to disobey the rules. It is your job to make sure that the system runs smoothly and according to the companies guidelines. It isn't like you are blindsiding any of these morons. Everyone knows you aren't supposed to be hitting porn at work.
As for all you free speech people, I think when you find the guy in the cube next to you jerking off to big busty babes on the monitor, you might figure out where the line is at that should not be crossed.
Quite apart from the privacy issues and the amount of time it will take you to do the job (presumably your boss won't mind the systems going belly up in the meantime), there's an easier way.
Just tell the users that their mail is being scanned for porn and that the web logs are open to scrutiny. I would suggest that there are two types of users out there anyway: those that assume it's happening and those that had no clue it was possible.
We all know how easy it is to write a Perl script to sift through web histories or a network filestore or whatever and pick out potentially "interesting" items - but whether this happens is another matter. I know that our sys guys have far more important things to worry about, but I also know that if it's becomes an issue then it's simplicity itself to set something up.
In this situation it sounds like a few words to the latter type, the ones who have no idea that emails and web accesses can be traced and scanned and probed, a few words would work wonders.
Of course, if you were really sneaky, take a snapshot of current usage, make a few announcements and then take another snapshot ... you'd only need to check the ones with a large enough delta :)
--
"I do not speak for my employers, though they are controlled from my Teddy's huge pulsating brain."
they ask me to do this sometimes and I just tell them "it cannot be done" :-) (unless they spend $$$$$$$$$) They have no idea.
Of course I have squid installed and I happen to know quit a bit about what eveyone is doing, especially the managers. The one looking into spying on people (my idiot manager) is the one coming in 1 hour late every day and surfing his porn account for two hours every morning.
Of course he doesn't even know what perl is, and he makes twice as much as I do and his christmas bonus was $25,000. His job is IT and he does not know how to make a shortcut on his little windows desktop. Fucking assholes.
support gun control: take guns from cops
I've always wondered about this. If you have an SSL connection through a proxy, is the SSL connection really between the proxy and the server, as opposed to the client and the server? If the former, that would mean your HTTP traffic could still get sniffed at or before the proxy.
Even besides yestreday's notorious security problem, Hot mail does not guarantee any privacy. Your webserver proxy can potentially monitor all traffic, including your HTTP POST data sent when you submit a form such as hotmail's (or yahoo's, etc) mail composition form.
I mentioned this some months ago but it aplies to
this topic as well.
Our IM department was pushed hard by Security to witch hunt for individuals accessing pr0n or for pr0n in email.
Their goal was to present this information during the next directors meeting, and ask for more headcount and funds.
However, everything backfired. After 60 days of logging traffic, they found that ONLY a few individuals were accesssing pr0n and those few were Directors themselves.
Do as I say, not as I do:)
As far as feeling morally opposed to going through email, I would explain that binary attachments are really the only thing necessary to check for. This may not be true, but this may prevent you from going through peoples mail. Just verify that their attachments are not images.
peaCe.
Of course you could do the above, find that the only problem users are directors, and HR will drop the issue in a HOT SECOND!:)
Awesome!
About a minute after I read this, I got the "Life In Hell" reference. :)
2) telnet.
Most places don't bother to monitor telnet. I was at a place that scanned web/e-mail. The first thing I did was login to my ISP's shell account. Once in telnet, I used lynx, irc, pine, etc. to spend the entire day in blissful entertainment. This is one of the best options left.
Would that my company didn't block telnet like 2 years ago - I used to be able to when I was on this network ring. Then they split my project onto a different network ring - telnet blocked. Now I'm on a different project, but telnet is still blocked over here. But now I can bring in a modem! :) They did just put in a fucked up (redundant?) proxy server, though. And you should see the things I have to do to get Bovine working, since it refuses to work through port 80 for some reason.
However, I also wrote into the policy that we will not investigate or snoop without a formal request from at least one "executive". (Director/V.P. level, of which there are three here.)
Lastly, the policy is also that we do not permanently archive email except for that saved to the "permanent archival" area, and we do not cache URLs. While this does open the door to violators covering their tracks, it does close the door to a large degree on our liability... because there aren't records we should have been checking.
If a user is under suspicion by a manager, proof is not needed immediately anyhow. The appropriate action is for that manager (or H.R.) to have a conference with that user to say: "There have been some complaints. We have not verified their validity, but you may want to be alert and careful."
Unfortunately, many H.R. people (and middle-level managers) are petty enough to prefer to bash people rather than getting on with solving the problems.
If the mail is to or from a representative of the company, as indicated by the email address, it is company-business and therefore not private to the employee.
In other words, if the employee sends/receives email from their ISP account at work, that mail is theirs. If the employee works for FiggleDat, any sent/received mail to JoeEmployee@FiggleDat.com is company-relevant.
This is especially important considering the company may be held responsible for abuse from that account... such as inappropriate postings, propagation of child-porn, or even just damage to the company reputation.
I can't believe something like this is even an issue. If you were talking about private E-mail accounts that people access at home, that would be different. However, you are talking about company E-mail that is intended only for conducting business. People that use it for other than business, particularly when there are specific policies prohibiting such activity, are playing with fire. And we all know what happens when you play with fire...
As far as the privacy issue, I don't think that really applies here. Because it is a company email account, it should only be used for company business. Doing so means there is nothing private to be concerned with. Your concern for privacy is certainly admirable, but I obviously don't think its very applicable in this situation.
So grab a beer and that Perl book and get crackin.
Perl - $Just @when->$you ${thought} s/yn/tax/ &couldn\'t %get $worse;
I worked for Dell (Telephone tech support- years ago), and was fired for reading *work-related* newsgroups while taking support calls. My manager, was of military background, and not technicaly oriented. I appealed, but higher management backed him.
---
Stephen L. Palmer
http://midearth.org
Just another BOFH.
I believe you are only liable if people were notified of the problem and do nothing to prevent it. First time it happens you should be ok - it's all about repeated events.
At least that's what our harassment training guys said. And that makes sense, too.
Quit if you think you must, but don't lie about it!!!
Your Servant, B. Baggins
No matter how much you don't like to do it, it is your job. The company owns the network, therefore, they 'own' all the data on it as well. Post something to an internal list/newsgroup that the email will be scanned as a warning, and scan a week later. If it's corporate, it ain't private.
@}--`--
The proxy log would show the hit to licos.com (or whereever) that happened first.
IBM does not scan everything. That's crap.
How in the hell would someone at Microsoft
know that?
Nice try.
-- Craig Miller Austin, TX
I think that sexual molesters have, by their actions, waived their rights to being offended.
as long as it will be a threat to my kids, 'it' is what it shall be.
Three Step Plan:
1. Take over the world.
2. Get a lot of cookies.
3. Eat the cookies.
Any company that has either been hit or threatened by a sexual-harassment suit has to prove that they have done their best to insure that the work environment is not sexually-hostile. That includes removing pornography where reported and try to ensure that it doesn't happen again. Companies no longer tolerate centerfold pinups on the wall, they should also expect not to find it on your 21" screen.
Otherwise it's a possible million dollar lawsuit for the company and someone's job out the door.
If the sysadm feels that the scan is a problem, that person does have the right to say "no" and suffer the consequences. Personally, I'd just explain to HR how technically complex the task is, get them to send out a email memo announcing that company policy explaining the right to scan the system for porn plus the consequences, and not do the scan. Most folks will get the idea and delete it if they got it. Those who don't and get caught later showing it off, well, they get fired.
Remember the slacker sysadm concept for today to provide maximum results for minimal work. Sending an email warning will do in this case.
-S. Louie
"I may be Love's bitch, but at least I'm man enough to admit it."
Err, this has nothing to do with what Joe McCarthy was after at all. Sure, some of the people who came before his committee may have behaved in the way you describe, but McCarthy didn't "rat out" anyone to get himself off any hook. He wasn't on any hooks (until the establishment took offense at his activities).
My point is neither to defend nor criticize McCarthy nor the original poster; let's not abuse what "McCarthyism" has come to mean (rightly or wrongly). McCarthyism refers to a so-called "witch hunt." The fact that some people preferred to expose other communists in exchange for leniency themselves is rather different. It's more like moral cowardice -- and if anything may be said of McCarthy, he certainly had the courage to pursue his convictions -- whether you agree with him or not.
DFL
Never send a human to do a machine's job.
Recentlty at the IBM i work at (endicott) 3 people got fired for just wasting time on the net, no porn, 1 was playing links the golf game with some guy halfway across the country, another had brought in a cdr and started burning roms, not even of pirated stuff, just downloading freeware and shareware and stuff, can't remember the third, all canned, no pension (not that it's very good anymore) no benefits, just get to go home and tell the family you got fired for nothing illegal, and these were tech and engineer people, not the 8$ an hour slobs (me) not anonymous eht
Tell the witch-hunter to scan through all the offices for porn mags, see how popoular that is :)
Tell him it's not your job to monitor if people work or not, tyour job is to make sure the systems work.
Do you really want to work for a company that bothers with porn? Quit, get a new job
1) If you work for a multinational, ask if management has asked Legal to determine if the new policy violates the privacy laws of the European Union. The EU privacy laws are slightly different in all member states, and they are much stronger than workplace and/or customer data protection laws in the United States.
2) If any of your users are known to be registered as contacts in the Network Solutions Whois database, they are almost certainly getting solicitations from purveyors of adult entertainment. Since many companies are not willing to disregard all inbound mail of a questionable nature, you probably ought to push for an specific provision in the policy which deals with this situation.
3) Many companies are moving to e-mail retention policies with extremely short holding periods in order to limit legal liability. I used to be against these, but I am starting to see the benefits when I think about the alternative of having to scan the content of mail messages.
Good luck, because this sounds like it won't be fun any way you slice it.
-- Dave Aiello
Subject line sez it all.
Some companies are reading your mail and your webmail.
-Obscura
The company I work for and their clients - for whom I'm sysadmin :) - have as much right to make sure nothing they disapprove goes on **THEIR** network as I do have the right to do whatever **I WANT** on **MYOWN** network at home.
I do not have the slightest tremor in my conscience when I am asked to go look at an **EMPLOYEE**'s mailbox for illicit (as per the company's policy) stuff.
-- ----------------------------------------------
Vive le logiciel... Libre!!!
"Amends the Federal criminal code to extend the prohibition against the unauthorized interception of communications to specified types of electronic communications. Prohibits unauthorized access to an electronic communications system in order to obtain or alter information contained in such system."
The thing to note, though, is that it's unauthorized interception and unauthorized access. Since they own the server, they authorize themselves to access the information on the system, and hence, it's legal for them to do.
Alternatively, you could use SSH instead of telnet, which is good idea anyway.
(The real point of SSH is generally to keep people "out there" from sniffing names and passwords, I doubt the people that wrote telnet had in mind needing to use it to prevent packet sniffing by your own local adminstrator!)
I was in a similar dilemma to yours:
I work for a company of about 600 people. One day when our Novell servers were running out of space I took a look around to see what was taking up so much space. One of the things i found was a young man in our accounting dept with about 500 megs of pr0n on his network drive.
I decided to deal with it privately, told the guy to get it off (NPI,) and warned him of the dangers.
anyway, it worked for me
Extremism in the cause of liberty is no vice, Moderation in the cause of freedom is no virtue. --B.Goldwater
I was put in the same position with respect to web surfing when I worked for a bank. The agreement that people signed to get web access included a disclaimer that their surfing was subject to monitoring.
If your company does not have such an agreement in place, you should work with HR and perhaps corporate legal to get one in place before scanning. The possibility of an invasion of privacy lawsuit is sufficient cause - it's expensive to defend.
Our ultimate policy was that it was a matter between employee and supervisor. So a summary report of web activity was eamiled to supervisors. The report compared an employees total web access against the average web surfer at the bank. Those people in the top 10% of activity were flagged. To the best of my knoweldge, most supervisors just deleted the message without review.
Points about porn.
This was before nanny filters, so we generated our own list of blocked sites - this might be good for you.
Our corporate security department required scanning for people hitting porn sites we hadn't blocked. There were very concerned about a sexual harassment lawsuit, on the grounds of a hostile work environment.
If you sent someone an email pointing out that their visit to www.hotporn.com was recorded they usually stopped.
There's more to it than this.
This should be moderated past the top. Very informative, and good advice. If it's against your ethics, quit. If you are a competant sysadmin, you will have no problem finding another job, and make sure you tell your new company why you quit the other one!
Privacy on hotmail? Obviously you didn't read the news from the day before. If a company has an established policy about this, all new employees should be informed during their first day tour of the office (or during the interview). If they want to start this kind of policy, inform user timeously so that they can clean up their act.
òò òó óò óó ôô õõ öö øø
No, they don't have the right...no more than your landlord has a right to randomly enter your apartment and check your wife's underwear drawer for drugs...its like a rent agreement.
--------- Matt
Oh, well, in a corporate environment the company does have the right to read your mail, I was talking about the ISP kind-of relationship where you are essentially leasing services. It seems to me that there should be confidentiality there, unless of course they are provided with a subpoena... (I hope....)
--------- Matt
What if someone gets porn in their mail as spam? I've gotten porn spam numerous times and I definitely did NOT sign up for it!
Of course, I never say what we find except in my report, which is delivered by hand...
I never like doing it, but I don't like the idea of slaving away while someone, somewhere is making my job harder in order to slack off... but making it known that they really are watching can have a couple of effects: the employees are less likely to engage in bad behavior (accomplishing HR's goal and making you feel less guilty when you don't find anything) and they're more likely to pressure management to stop it (or go somewhere else to work).
My only other contribution is to suggest that if you're going to be put in this situation, ask to be made accountable for such invasions of privacy. That is, ask that at least two managers approve each request for a scan in writing. That'll either get you fired or make them think about their actions. Either way -- problems solved :-)
"I want to use software that doesn't suck." - ESR
"All software that isn't free sucks." - RMS
"I want to use software that doesn't suck." - ESR
"All software that isn't free sucks." - RMS
Recording of phone calls is quite typical at many companies. At the investment bank where I work, for example, all calls into or out of the trading floor are recorded, and random calls to or from other phones are recorded.
cjs
The world's most portable OS: http://www.netbsd.org.
Having worked in IT within a number of large corporate HR organizations I can say unequivecally that not a one of the corporations had a clue with respect to the Internet and a proper usage policy.
Number of points:
1. Scanning incoming emails seems dumb. I cannot control what I receive. I have some friends that send me some pretty foul crap.
2. In general internet/email usage should NOT be an issue of monitoring and logging. If your damned managers don't know what their employees are doing until some tech-weenies gives them a web access report the manager should lose his or her job. Employees can spend all day on the phone, or playing computer games, or talking at the water cooler - the internet is nothing new.
3. Why should HR care if someone is downloading porn for four hours a day as opposed to surfing for beenie babies on eBay for four hours a day. I mean if the idiot is showing it to other co-workers then treat it just like they had brougth a hustler into work, but if it is only on their monitor, HR should not care what it is.
It seems idiotic to me that someone who spends a few hours a day reading their hotmail can skim under the radar, while one hit at playboy.com can get another person fired. Again these HR droids do not have a clue.
4. If they are worried about usage from a capacity standpoint (too many large attachments) put a cap on incoming attachment sizes (from the Internet) - this should stop most of those cutesie executables that everyone sends around. Just plain text emails from friends are never going to tax their capacity.
What employees can do to protect themselves:
1. Don't use your company inbox for personal email. Get a yahoo or hotmail (I know, I know) account and access it via the web. If someone looks at a report and wants to know why you are using hotmail, tell them you have used that address for work related requests for literature or vendor information or on work related discussion groups, so you need to check it on a regular basis.
2. (common sense)Try to limit Internet usage at work and do not even think about hitting a porn site.
3. Many times usage reports list heavy users on top, and try to estimate usage time based on surfing patterns. Try to stay low on the list. If you have a lot of email to send (via a web email service), type it up before hand in a text editor and cut and paste it. If there are web sites you regularly visit, hit the major pages you read all at once and then go back and read the pages from cache.
4. If you do happen to get one of those 'access forbidden - incident logged' errors on what you thought was an innocent site, record the date and time, and the address of the site you thought you were accessing, and what you thought it was. You might need to explain. In general don't guess at addresses, or go to an address which you are unsure of.
5. Know your company's Internet policy, and if you are not a techie, or are a techie in the wrong department, get to know the person that is responsible for generating usage reports. Information they give you can help you slip under the radar.
6. In general, the bigger the place, the easier it is to avoid attention - be extra careful at smaller companies if they have a logging system in place.
-josh
There are a couple of ways that you can work around this.
A) You could simply ignore HR and do nothing (but say you did)
B) You could do the scan and fake/ignore the results
C) You can warn all the users ahead of time, giving them time to clear their mailboxes and making it clear their privacy is not guaranteed in the company (All Hail The Company!). By that time the scan becomes an almost moot point.
A and B will likely get you fired if HR finds out. C will technically be following through HR's request, but you will annoy a number of people on both sides of the fence.
Unless you can beat HR, this is a no win situation.
_ _ _
In regards to how the IS guy should deal with the scanning for porn problem. I think that the best policy would be to warn the masses two or three times. Give them plenty of notice to stop the incoming offending material. Then when the scanner gets hits send notices both to HR and the employee. The nature of the material and ones relationship to the person receiving said material could result in a not-totally-unbiased reporting of incidents.
Did that make sense?
I'm probably going to seem righteous, but I'm of the mind set that has nothing to hide, so let them scan.
I've read and signed the Internet Policy here at __ ___________. I sometimes get offensive material (jokes, pictures, ...). I think most employers are more worried about keeping harassement cases to a minimnum, than keeping employees hands off their peckers.
-----Don't Take life seriously, you'll never make it out alive.
Said like someone who actually has had to do it... I think your approach is the best approach...
"You can't make a race horse of a pig"
"No," said Samuel, "but you can make very fast pig"
What does that mean?
The minimum you can hire someone full time for is 2 years in france... Thats the way to get your economy kicking.
"I will insist on taking whatever I can from the government or other citizens"
-Frenchie
The last time I tried to "come to France" the whole damned country went on strike!
Unfortuanately, the company network is the companies property and it is the companies email. At least in the US AFAIK. Yes it is an invasion of privacy to your users IMHO, but it is the company lan, and is for business purposes. I believe there was a company (I wont say the name but they are a consulting company) that got sued because its employees were found to be discussing the project in there emails, and they had nothing good to say, they were telling all the problem to outisdes, an dkeping the client in the dark. There email was used in court trials, in the US. Look at the Microsoft trial, the email has been used in court. Internal Microsoft email I believe. This is done all the time in the US, it is often downplayed thou.
Yes, this sucks!
However it is not a sysadmins job to scan and read email. It is your job to set up some utilities to send email with certain words in them to you, or an appropriate person. This is ofcource if the company requests it.
Personally, the company that I work for found this to be an incrediable waste of resources. We have 7 buildings in my home area, and a global network. There are just to many emails traveling thru our networks to track it all, and it would be a full time job searching thru email. They tried, and now it is just if you walk up to someones machine and they have porn on the screen then they get busted.
Yes it can be done, but as I said it is an incredable waste of resources. You should inform the human resource people that you do not have the time to search thru email, and that if they insist that you do this that they increase your pay as it will increase the amount of work that you do. Or just tell them you'd quit.
Sysadmin jobs are a dime a dozon, while sys admins are not. Just look in the papers today, there are plenty of jobs in most major cities in the US, and for someone with experience, you can leave the company and not have to put up with that.
Only 'flamers' flame!
HR asks for this all the time, although not for porn, but in respect to particular "issues." I'm kind of opposed to the Orwellian nature of it, but at the same time it is the company's equipment.
It's kind of a bug hunt, really, because I never find anything particularly incriminiating and I waste hours of time reloading old backup tapes and so on.
However, it is kind of fun to scan people's email. Most of it is boring as hell, but once in a while you come upon some really juicy material (totally unrelated to the probe in question).
HR's attitude is kind of funny -- they're almost GLAD I can't find things sometimes. It's kind of like, the less evidence there is, the less likely there is anything incriminating that can be used against the company (although the less than can be used against the employees as well).
I guess when it comes down to it, you can either be under the jackboots or in them. I'll take the latter every time.
I don't know how things are in the U.S., but what your bosses are suggesting is absolutely illegal in many countries including my own. As it's illegal it can't be "overruled" by company "rules" either -- I remember a case where a managing director was charged and convicted for reading employees' email.
In general email should work exactly like snail mail, and it should go like this:
- If the snail mail is addressed to
company name
person's name
address
then the secretary or whoever opens it and registers it and everything. However, if the employee's name is at the top and only then followed by the company's name then it's personal and the secretary or anyone is absolutely forbidden to open it. A company can't just decide on it's own that any envelope coming in their door can be opened, whoever it's addressed to. The bank, the authorities, whoever, is allowed to send private post to any address, even if that just happens to be a company's address. They can refuse to receive it, but they cannot receive it and then open it. With email it should work like so:
- any personal email address is personal, and it's up to the employee to decide that this is company mail (if so) and forward it for archiving (if that's the practice).
- non-personal email should always have a non-personal address, e.g. project-X@company.com, support@company.com, internal-jokes@company.com etc. These addresses can work like internal mailing lists and can be automatically archived. Thus no need for intercepting and storing everybody's email either (another very bad and, in this country, illegal practice). If the company don't want the employees to have truly private emails then the only thing they can do is to refuse the employees to have personal email addresses. Fair and simple as that.
TA
Or maybe we'll just use 'her'.
Or maybe ta (1).
-k. ^-^ ^D
Dead right -- it's the company's equipment, and you're paid to do work-related things, not wank around on the job.
Yeah, I know the above's redundant, but I wanted to show a little support for the position as well as mention something I saw on TV tonight.
Congressman Bob Barr was on the Fox News Channel tonight (on the O'Reilly report) discussing ECHELON. He said that the House Intelligence Committee summoned a National Security Agency representative before their committee to (1) explain exactly what it is that they're doing, and (2) explain why they're doing it. The NSA official refused to answer any of the questions, invoking attorney-client privilege.
Kinda makes you wonder if the agency is accountable to anyone. So basically, nevermind the workplace, it sounds like those of us in the USA, UK, Australia, and New Zealand have had our right to privacy taken away from us anyway. I wish I were confident that my PGP- and Blowfish-encrypted stuff was safe, but I've got the feeling that the NSA can break those if they really feel like it.
Cheers,
ZicoKnows@hotmail.com
This is completely and totally legal, and ethical. It's my computer(s), so I'm gonna know everything there is to know about it, from your logon/off times to a spread of your most commonly accessed webpages from that machine.
[Seriously guys, what kind of moron looks at porn from work? The kind that needs to be *fired*!]
If I were in this guy's position, I would take a gentle, fascist approach. Since the Company wants to know what's on the Company's computers, and all employees of the Company are part of the Company, all employees should know the results of porn-sweeps.
Create a public message board, in a main breakroom or hallway, and post the results, sorted by name, of potentially offensive emails and files stored in all employees' work systems and mailboxes.
[Now, if the HR people *happen* to get subscribed to the Naked Amputee Chat mailing list, wouldn't that serve 'em right?]
Heck, once this plan goes into effect, broaden your power! Bug all phone-lines and Icecast them! Monitor everyone, and broadcast it on the local lan! Webcams in every office! In the restrooms! (That way you can find out who's been leaving that horrible noxious vapor after lunch...) Infrared those cameras so that everyone can see who's been farting in the hallways, and who gets aroused around the secretaries! PEOPLE HAVE A RIGHT TO KNOW THESE THINGS! Contract some ex-NSA spooks to follow all employees home! Force your hired spooks to sleep under your employees' beds, in case they talk in their sleep!
BRAIN IMPLANTS!!!
HIRE THE PSYCHIC NETWORK!!!
What?
What?
What?
And maybe that was the point of my original post.
Now that's a good attitude. By the way, _who_ is really doing the whining (notice spelling) here? Looks like it's you buddy...
I have a new respect for France.
Remember - it's corporate vs individual rights.
On a similar topic, I was recently asked to clean up the web pages of an employee who had been terminated over said web pages. It was pretty minor stuff like links to the Bible and various political sites. When I was asked to clean up the pages I demanded that they tell me exactly what to clean up as I didn't want to be the one making the judgement on what is right and wrong.
Scary times.
Go ahead and do the scan. There is no ethical reason not to. Employees are there to work not exchange dirty pictures. Make the requesting manager(s) specify, in writing, the criteria for what is and is not "porn." Tell the you need very specific criteria to effectivly locate the offending files.
Hand the results off to management and let them deal with the legal repercussions. Expect PGP to get real popular on your network...
It depends on how bored I am :) sexual offense stats of any type (but esspecially rape and child molestation) are hard to compile accurately, both because of rates of reporting and because of definitions.
I don't have any quibbles with your figures, they just add weight to my argument, which was that after reading slashdot, where the great majority of the conversations do assume that the default gender is male (which I rarely quibble with, because I see it as pointless, even though I'm not male) suddenly some person is complaining about how sexual offenders, whom by *anyone's* numbers are by and large male, are being defaulted to male.
it was the utter and complete illogic of it that hit me...
I find it very interesting that after reading several K worth of comments that assumed that readers were male, that employees were male ('guys ' is as gender neutral as 'him') etc etc, the only complaint was when sexual offenders (of which 70% to 95% [depending on where you get your numbers] are male) were referred to as male....
hmm...
interesting indeed.
Companies (especially large companies) are now, more than ever, likely to be involved in sexual harrassment lawsuits. If a charge of sexual harrassment is brought against a company, then that company will be investigated - this can include searches of that companies file and mail servers.
If any pornography is found on any company systems then that will be used in the court case to show that the company was negligent in meeting its sexual harrassment prevention obligations. In fact if I remember correctly (IANAL of course) this has already happened in a couple of high profile cases.
We live in litiguous times, and this unfortunately means that sometimes companies have to take strong actions to protect themselves.
Flame away...
The gift of death metal does not smile on the good looking.
I dont really buy this company property b.s. As someone pointed out above, if they buy you a notebook (as in paper), do they have the right to look at everything you write in there? It seems to me that the right to privacy does not disappear the second you're on company property. I'm sure an argument can be made that the company is allowed to monitor your work; but reading all your correspondence? At the very least they should warn everyone explicitly that e-mail is going to be checked.
:-)
The way I see it, the bandwidth may belong to the company, but what you write doesn't automatically belong to them. Imagine your wife visits you at work to tell you something important (and private); does the company have the right to eavesdrop on your conversation? Afterall, you are on company property (breathing company air). The exception to this might be an extremely security-concious company, in which case they damn well better tell you that they're listening to all converstations. I think the same would apply to phone conversations. As far as I know, a company must tell you specifically that phone calls may be monitored (I may be wrong about this), so I don't see why it should be any different with e-mail.
That being said, if they do warn everyone I guess they have the right, but I sure wouldn't want to work there. I got enough of that shit in the Navy. If a company can't tell whether its workers are doing their jobs from results, then maybe someone needs to monitor the management's e-mails to see if they are doing their jobs
chris
San Francisco values: compassion, tolerance, respect, intelligence
Does every problem have to have a solution that screams out "Look how smart I am in dealing with this problem so as to cram my opinion down everyone's throat!" Signing up the HR department to porn lists and then scanning them...weeeeeeeeeeeeeeee! That'll show 'em.
You know there is nothing in the world that is an attack on your way of life like people making sure that you are not abusing THEIR property.
But this is just a step in that direction. The fact that your company can use the excuse that because they paid for the bandwidth they own the mail is scary. If my company buys me a notebook and I write something offensive in it, can I be fired for it? Do they have the right to search a bag if they buy me one?
-- atomly
Well, at GM there is a disclaimer on all login prompts that says something to effect that ALL communications are monitored. The company policy is essentially that because GM pays for bandwidth, equipment, etc., that personal communications of ANY kind are strictly forbidden and that all e-mail, WWW traffic, etc. can be scanned.
That being said, I don't think anyone at EDS (who does most sysadmin work at GM) actually scans the network traffic unless they believe there is a security breach of some kind.
How GM deals with the issue is that 1) it assumes that GM employees and contractors are professionals and as such are somewhat trusted to behave professionally and 2) not everyone automatically has Internet access, including access to e-mail: you basically have to have a business case. Most people with PCs have e-mail, but this is not the case for other forms of Internet access.
Finally, when it comes down to it, if you simply cannot morally abide by it, either A) refuse and stand up for your morality and get fired if thats what it takes (at least you will have your integrity) or B) tell them you're scanning but don't. B is a cop-out, IMHO: that option, in and of itself is morally corrupt.
Another option is to simply quit: there are lots of other system administrator positions available. But don't count on the other company to not put you in the same situation: its becoming increasingly commonplace for companies to scan their network activity.
My journal has hot
8 Bucks? What were you, the janitor? Christ I got twice that co-oping as a college student.
Blar.
A recent UK court ruled that employees were allowed to make private phone calls at work on company phones --- no URL, sorry. But, extrapolating, this implies that employees *could* be permitted privacy on the net at work, in the UK at least.
Anyhow, if you *really* need privacy, why not use hushmail and/or other encrypted web services?
BAAAAD ADVICE!!!!!
Imagine a company where all employees were allowed to make up/change policy on the fly...
As far as porn goes... I would expect to get fired as well as I would fire anyone who was caught viewing it. I cannot remember any company that had a policy that tolerates it, and it just plain does not belong in the workplace.
The company usually has the legal right to scan any email (remember Borland/Symantec Gene Wang problems), so it comes down to the choice - you want to DO YOUR JOB or QUIT - becoming a martyr for about 5 seconds (just about the time your replacements butt hits your still warm chair).
As far as it being the "morally correct" thing for the company to do, call Dr Laura.
When it happened to me, I raised a big stink.
What actually happened was I was told by an admin with more seniority to provide a log of a user's e-mail activity. It was an order handed down from the COO.
I asked for a valid reason. None was supplied. I refused and went to the CFO and the Vp of MIS. They then implemented a policy of checks and balances, that any decision about invading a user's privacy had to be signed by them and put before the CEO.
I'm still there, 6 months later (can't say I will much longer). Of course, we have a pretty liberal group of individuals in management (except for the aforementioned COO), I'm considered the golden kid, and it has a bit of a family atmosphere there.
The employee, well, the employee was fired anyways. But I may save others privacy.
As for me, I "accidentally" violate people's privacy. sometimes I notice some exec's personal assistant mailing someone in one of our subsidiaries (who she has no business talking to).
It sounds like company policy is pretty straightforward. Now, it depends on how this policy is given to the employee...if there is a rule book somewhere they can go look at if they (the employees) want to, there is a defense against the intrusion. If, however, there are flag's (motd's) banners on the bulletin boards, etc. explaining this, then there is NO reasonable expectation of privacy. Hey, the company owns the computers and has some sort of jurisdiction over the content. Not the best answer, but legally they might have the edge. I would ignore anything that is not illegal (child pronography, etc.) or not major abuse (i.e. 10+ images a day, etc.) It's just like playing solitaire on the Win95 boxes, wasted resources..... my $0.02 -Jaffo
Somehow the comments drifted from porn in email to porn surfing. I'll be brief and limit my comments to three:
First, what is porn? It was only a couple years ago that a wife (girlfriend, boyfriend, what have you) writing to her (her, his) husband mentioning that she (blah) bought a new nightie and was going to wear it tonight would be pornographic.
Second, is it legal for a company to go through the email on the computers it owns without reasonable cause or suspicion? Yes. Is it legal for them to terminate someone for one of the above emails? This depends on the circumstances, primarily on whether the employee signed an employee handbook and exactly what was in it.
Third, if you, as the sysadmin, start romping through computers, you have to be damn sure of what you're looking through. If you scan someone's home machine they brought in to work, or RAS'd in to the network, a personal hard drive hooked up to an on-site company computer, or even a personal floppy or jaz, that person could sue for invasion of privacy and though the target would most likely be the company, it doesn't take Stephenson to figure out that you might be the next target in the witch-hunt-of-the-month.
Kevin Fox
This has nothign to do with the 'rights of corporation'. Whether it's the companies private PBX, email system, file server, what have you, pretty much every single employment agreement/employee handbook states clearly that THE PLACE OF BUSINESS is NOT FOR PERSONAL USE. That means TELEPHONE, that means EMAIL, that means FAX, that means the photocopier, the pens and paper, even the goddamn filtered AIR! and the WATER COOLER! It is all paid for by the company, for you to use in the capacity of doing your job. The fact that those same resources allow you to get porn doesn't give you the right to do it.
This isn't like they are interfering in your private life. You are at work, doing work.
I realize there are many laws regarding email, and it is very unclear.... but the fact remains.
Whether it is the journal book on your desk that the company gave you to record notes in, or the memo pad they gave you to write memos, or the email account they gave you for company purposes.
In most company networks, there *is* no expectation of privacy with regards to email, or at least, there shouldn't be. Not if it has been stated up front. It's not your personal email account. It's an account belonging to the company, and you happen to be authorized to use it, and it has your name on it.
As for refusing to do it based on privacy.... There is another way to approach it.
As I said, if it was declared that email is company property, for company business only, then
t *IS* company property. If they said that casual personal use was allowed.. they may have to be more careful. *may*.
Privacy in communication is necessary, but absolute privacy within the company is not.
My personal belief is that the only time snooping should occur on web traffic and/or email is when investigating some issue related to espionage, breach of NDA, etc, and should be done with very much courtesy for people's privacy. Personally, if the network allows you to look at porn at work, technically, and you do.... HR shouldn't be on a witch hunt. If people are meeting their goals, then HR shouldn't have a problem.
Granted, the company has the right to scan their servers for whatever they want... it's up to you as an administrator if you wish to either
a) change their policies or
b) not work for them.
But the point isn't that they are *always* watching, it's that they *might* be watching, and they *might* find out, and fire you.
If they say 'As a condition of your working here, you will not look at porn on our servers, under penalty of dismissal' then you shouldn't look at it, whether they monitor or not.
I think the real problem with this sort of thing isn't the fact that people are scanned, but what is done with the information.
If Mr. Sysadmin is doing his scan, and sees a few naughty-but-mostly-harmless web sites or emails, or sees that someone is developing a bad porn-mailing-list-habit, they should be informed, casually, that this behavior could get them fired and that they should cease and desist. This information should go no further, unless it repeats. I realize this doesn't fit the standard company mold, though.
All too often, it is some semi-technical type in HR that wants to see the compelete log file, to analyze who is looking at what, and then they go balistic, looking to fire people for wasting company time. They see a dozen hits to CNN and think that the employee is 'slacking off'.
If an employee is really slacking off, it would be their dept. manager that should notice, as their work will be no good. The network admin should notice if large amounts of network resources are disappearing, and should investigate. There should be no wich hunt, though. After all, the company doesn't check every single piece of paper and doesn't record and analyze every single phone call.
Yes, the company *does* have the right to read everything... however, how the choose to exercise this is a matter of PR.
Note: It should be the goal of any modern HR dept. to already know how to deal with these issues without going on a witch hunt. If they are going on a witch-hunt, this shows backward thinking and you should maybe rethink your HR policy.
No, one cannot control what others send them. That is why any scanned results must be taken in context, in private, to decide what it really means.
should not be considered private. If the company has this in its acceptable use policy then that's that. No one says you have to report any hits to the powers that be, but if you're supposed to scan, you should at least have scanning software in place. Someone might bring a lawsuit against the company that requires scanning of email.
This is not an unusual request and I wouldn't give it any thought at all. Do your job.
If employee X is viewing porn and employee Y sees this, and is offended by it, the employer is liable for protecting employee Y, not safeguarding employee X's "privacy" or "rights". Our company has been hit by this and it is an open and shut case in the courtroom with employee Y a winner every time.
In fact, the newest scam is for an employee Y to just take a job at a place with the intent of pulling such a stunt.
A variation of this scam is for a Customer to enter a business. They see PCs in place and in casual conversation ask if they have internet access. If the answer is "yes", the Customer later files a suit against the business claiming they were exposed to pornography while "shopping" in the business. If a review of the legally obtained cache files and the cache index file of computers visible from where the "customer" says they were standing reveals porn sites were visited at some time, another slam dunk and the business loses.
It is not going to be unusual for businesses to request what they have of you. Get used to it. They are trying to cover their butts.
Dave Bennett
Chief Information Officer
Inland Truck Parts Company
Dave Bennett
Subscribe everyone in HR to pornography email picture lists. Turn them in. Work with the new HR folks for different policies. If they don't work out. Do it again. Information is power. You control the flow of information.
Play Well
As much as I hate seeing companies playing Big Brother with their employees, I have to concede that if you're getting paid to use the company's machines to get work done, they have the right to know how their machines are being used.
That said, if a company breathes too hard down the necks of their employees, the result is abusive managers, burned out employees, nasty office politics and extremely low productivity, meaning lost profit for the company. It's in a company's own best interests to respect their employees.
Privacy is one of the reasons why I left my last job. Now I have a much better, higher paying job where I don't have to worry about Big Brotherisms.
Meldroc, Waster of Electrons
I'm a big fan of privacy, and I believe that everyone should have privacy in most situations. However, if the company has an existing policy that company e-mail is not private and that it is company property, then it is certainly within their realm to scan it. A company is paying for its bandwidth and paying the employees for their time, if an employee is wasting bandwidth and conducting non-work affairs (excuse the pun) with the company's resources, then there is no reason why the company shouldn't be able to take action. The e-mail accounts belong to the company, not the user.
If you started looking through the accounts of upper and middle management, I think that they'd quickly change that policy after the first few little embarrasing secrets were discovered.
If you find kiddie porn in Australia, you are in violation of the law. If you report it, you are in violation of downloading it, even if you didn't mean to- if you delete it, or clear your cache, you are distroying evidence as well- you can't report seeing kiddie porn anywhere.
But they expect me to call the aba when I find some nasty shit on the internet.
Isn't my government kewl?
Send lawyers, guns, and money!
If you do this without a WRITTEN policy and WRITTEN authorization, you are asking for a world of trouble. True, it is the office's network and systems. However, somebody gets pissed and finds a good lawyer, and you are unemployable for a long while.
The way my work-place is thinking about handling it is that when a user account is created, the user is given a piece of paper that says something to the effect that "I realize that the computer and computer systems of my place of work are the property of my employer. As such, I agree that my activities on the network and in email, etc, may be monitored for ANY purpose." Then make the user sign this piece of paper. That way, your ass is covered.
In addition, HR should not be the people being concerned about this. If productivity is down, this is not a good way to handle it. If such a search is going to be started, it should started after proof of porn wasting time is brought to the head of the IS department (you or your supervisor I assume).
Just a few thoughts.
Yawn.
Civics 101... The rights enumerated in the Constitution have to do with what the federal (later extended to state) government can and can't do to you. Citizens and Businesses do not apply under the constitution.
DrLunch.com The site that tells you what's for lunch!
I'd definately do it without arguement, but only after getting a guarentee that there would be a *very* outgoing campaign to inform the employees that it _will_ be happening. As long as they know before they mail, and they're using the companies network, it's not a moral issue as far as I'm concerned. If it's private it's personal, and isn't something that should be using corporate computing resources.
Just My 2 Cents.
Eric
The louder he talked of his honour, the faster we counted our spoons. -- Ralph Waldo Emerson
My Sysadmin at my old job had an interesting "out" when it came to scanning web caches/directories/email for porn. It basically went something like this - he found porn offensive & distastefull (well he said he did anyway), there was nothing in his contract that said he had to subject himself to such distastefull duties, therefore he did not have to search for porn. :-)
The first thing that comes to mind after reading this is that they are searching in the wrong areas. I have friends all over this country from college and the variety of "interesting" things I receive in any given day can be astounding. To put it lightly, a lot of my friends are quite frankly "dirtly little bastards" and they do not always remember where to and where not to send things, especially if I have my bigfoot account pointing to work. What you are going to find is that some people have very little control over what their less than busy friends send them.
The second thing that comes to mind is, what are they really looking for? How many people do you know that actually get porn through their e-mail? Are they perhaps looking for people who may not be too happy at work? I would say that if it was me, I wouldnt want to work at a company that was so interested in whatever drivel I have going out in my personal e-mails, or even for that matter one in which I wasnt allowed to have personal e-mail.
The final thought that comes to mind is that I really gotta get my friends to start using PGP a little more often;-)
I like the sound of this....subscribe HR and the policymakers to www.spank_me_daddy.com and watch the fireworks from a safe distance! :wq
To heck with asking them to distribute a reminder... HR comes to me and says "Scan everything in email for porn." I say, "sure thing, it'll take me a couple of days to get things set up, and then I'll send the results to you". They'll be happy with that reply.
Then the first thing I'd do is email the entire company and tell each and every person the corporate policy on email/porn/etc. I'd also mention offhandedly that "At the request of HR, Computing Services will be conducting a thorough search of all email for porn and other forbidden materials commencing in two days. Any comments or questions may be directed to [insert HR moron's name here]"
After seeing this, all porn will be deleted, and nobody will be surprised by this action. HR might be a little pissed off, but there's nothing they can do about it (I followed orders). If they get mad at me, they end up looking like witchhunters, trying to ambush people. I'd call this the least of the evils.
In any field, find the strangest thing and then explore it. -John Archibald Wheeler
Unless there is a massive loss of productivity, or some untoward activites happening (both of which I doubt are very common), I don't see the harm in some personal use of the network.
;-p) I would not want to work for a company that did not recognise that with the volume of time being spent at work... some private business can and should be able to occur.
Of course, the network is the company's, and most have explicit policies about owning anything and everything on it. So, really, there isn't much choice... scan for porn.
That said... I know that I generally work 10-12 hours a day, as do most people around me. Work is almost every waking hour. (sad, isn't it?
--M. Snelham
An Ughly(tm) situation, this.
As has been stated, the company does have the right to sift through anything on its system, including e-mail. It also is perfectly legal, as stated, for them to root through your desk every night. Employees will start looking for other jobs if they notice the latter, and I would hope they do the same if they get too much of the former.
At my last job, I had to do research on a guy who was caught browsing porno sites on work time and resources. But it was made a lot easier because he was caught, in person, by his manager (who was female, and offended). I didn't have to sift through his e-mail, only his Web habits (IE keeps such a wonderful history). He'd also torqued me off because he abused the very limited network resources the company had. The policy at my current job is that e-mail is better left untouched, although the company policy does allow for monitoring.
I personally would not sift through everyone's e-mail by hand without a really good reason (preferably signed in triplicate by the requestor, the CIO, the CEO, and the Board). A single user, with good cause, yes. But even then I'd be happier with a nice script searching for keywords. Automated scanning, though I personally think it paranoid and disgusting, is legal (with notice) and does not really constitute "snooping" - after all, you aren't reading the messages (except those that are flagged).
BTW, for the commenter who noted no notice was necessary (according to legal precedent) - the last course material I saw on this said notice was a really good idea at worst.
And, lastly, if you belong to SAGE (the System Administrator's Guild), you should note that the SAGE Code of Ethics describes reading files (including e-mail) as a no-no.
Let us live so that when we come to die, even the undertaker will be sorry -- Mark Twain
YOU won't be violating anybody's privacy (your script will, but no human eye sees the non-guilty mail) except for those who are violating company policy
Are you serious?
Creating such a script and setting up a cron entry to run it is no "better" than just doing it manually. I don't think that qualifies as really helping the person who posed the question. He'd rather not have to get involved at all.
But I do have to agree with you in one way: Perl is cool.
Jeremy
Jeremy D. Zawodny /
I agree with this for the most part. There 18 billion free web based email accounts you can get for your personal mail, so why not seperate your work email from your personal email?
One problem with this is that it is inconvenient to have to check mail in multiple place. Also, If you work 16hrs a day, you can't really seperate your work life from your personal life... they blur together. Your friends are your workmates and vice versa. An email might contain both personal information and biz activity.
On other thing.. Biz cards are often the most convient way to give new people your email address, but few people have "personal" biz cards. (Perhaps they should, you can buy 2000 for around $80).
If people used their biz email account only for business then there would be no conflict scanning their account. But it's always personal information that the company is interested in. (who's thinking of quiting, sueing, etc).
-- Virtual Windows Project
Geez... privacy is one thing, but disregarding the value of anonymity! please... save the whinning - Anonymous Coward. It's not like you even have to list your valid email addy, and besides, you think they don't have your IP?
Get over it. Anonymity is dead. Privacy is on the way out, and the US is the no.1 country for bad privacy laws.
Everyone is living in a personal delusion, just some are more delusional than others.
Do a covert pre-scan, show flagged users how to use agents and rules to bounce possible incoming porn (& whatever else) off to their private e-boxes (give 'em copious examples).
Let 'em know your predicament about enforcing fascist company policy, give 'em an official "scan for real" date and only turn in those chumps foolish enough to not avail themselves of your kind offer. In all probability these scofflaws are rather incompetent in their jobs anyway...
Most folk in my company were unwitting spam victims and wanted the agents to just /dev/null the shit (management finally grokked the concept of "spam" (D'oh!) and dropped the matter completely, thank Ghod!)
[as a hypothetical aside]: Why would want to receive porn at work anyway? It's not like you can JO over it in your cubicle or something... Sheesh, do like I do... keep your porn safe and secure on your personal laptop (& copy to CD-ROM as warranted)
First of all, who is going to watch the porn? There isnt any sure way of scanning for specific kinds of images, which means someone is going to have to check it. I hardly think that your job description includes a requirement that you watch material that you may find disturbing. Or maybe the HR department is too lazy to get their own porn and want you to collect it for them?
Waste of company resources isnt a good reason either. Autoscan and delete any MS Word attachments would probably save more wasted resources in the average company.
Frankly, you can get a job at a better place. There are plenty of companies that value ethics and a respect for privacy. A sysadmin that has no compunctions about reading other peoples mail is someone who will just as well read the bosses mail and find out how to use it for his own gain (stock tips?). The only legit reason for checking mail is when someone is under suspicion of a crime, and in that case Id just check the logs to trace the offending mails, and just in the worst case actually scan the mail boxes.
Ok. Personal email on the company network is not private. You will now be required to scan all email boxes to ensure that pornography isn't present. So the first thing you should do is to send a general notice to EVERYONE in the company informing them of the scanning policy so nobody gets caught offguard. That way, if there IS any porn to be found, it can be eliminated before anyone gets around to finding it.
This solves 2 problems. 1 - nobody will be "wasting time" by looking at porn and 2 - you won't have to come across as the bad guy.
The witch hunt will prove to be unsuccessful and a waste of YOUR time which could be better spent elsewhere.
Just a thought.
-Restil
Play with my webcams and lights here
at least in California. I heard this morning on NPR that a bill passed senate making it illegal for employers in California to read employees email. It passed without opposition. After noticing this ask slashdot question, I tried to find more details pretaining to the bill and have been unable to do so... I would hence take this information with a grain of salt. FYI, enough employees have sued over these kinds of privacy issues to scare MY company into making a policy of email privacy. We're even a little touchy about proxy statistics.
Anyway, hope the information comes in handy. If anyone knows where I can get information about this bill, I'd love to hear from you.
Ryan Taylor
Applications Developer, Schulze Mfg.
That and send _everyone_ an e-mail. IANAL, but all of the places I have worked have had me sign a waiver stating that all internal e-mail was the property of the company. Somwhere in that waiver it also states that all e-mail could be audited at any time. That said, I am not sure if it is implied that _not_ signing such a statement ensures that e-mail is private.
If HRs goal is to 'catch' someone with proscribed items, perhaps they will be annoyed that you choose to warn the lusers beforehand. OTOH, if the goal is to reduce/eliminate a problem, then everyone should be happy.
In the immortal words of Socrates, who said; 'I drank what?'
Anyone dumb enough to rely on email to get porn deserves to get caught.
Anyone actively getting porn off the internet is downloading it from newsgroups, not via email.
MrCreosote Meow!Thump!Meow!Thump!Meow!Thump! "You're right! There isn't enough room to swing a cat in here!"
and send me the good stuff.
Phone calls cannot be monitored because the phone line is considered a "common carrier" and thus not the property of the company.
Wrong!
At many places (say, call centers), monitoring phone calls is part of the normal process of evaluating employee performance. If you're foolish enough to make a personal call from the same phone that you take business calls on, and get monitored . . . oh well. Not only that, but all of your calls are recorded. The recorder runs 24x7 and will pick up noise from the room even when the phone isn't off-hook. Of course, I believe legally you have to announce this to callers (i.e. "To maintain service quality, this call may be recorded").
--- Where's my X.400 protocol decoder?
Carlosian Advice: Follow your orders, your concerns for privacy do not apply here, since there is no privacy that you possess to be concerned with.
And typically, anyone who is foolish enough to use a company server (or any server for that matter) to relay unencripted private correspondance is simply tempting fate, and deserves what is comming to them.
*Carlos: Exit Stage Right*
"Geeks, Where would you be without them?"
*Carlos: Exit Stage Right*
"Geeks, Where would you be without them?"
"Got Linux?"
That to me seems like a genuine witch hunt, I can't see how someone sending/recieving
e-mail can be construed as non-productive. Who sends porn via e-mail?
Maybe some nasty jokes..... If their motivation is a productivity issue,
they should be blocking http access to or monitoring access and content viewed.
My guess would be that more time is wasted doing day trading and reading slashdot than grabbing p0rn.
And according to the directive from HR these activities can be interpreted as allowed????
--
Rick B.
Hey, who's to know. It is a waste of time to do this anyway. If someone was sending/receiving porn, it would often be caught by other means--peering eyes or noticing that some people have a large e-mail file/DB, but few messages.
We caught one guy when we were checking our web logs to see what was taking up so much of our pathetic bandwith. The guy was demoted.
E-mail is different from a phone. For one thing, you can't send pictures over the phone. Also, all e-mail is routed through public networks. Sysadmins at many points have access to these e-mails. E-mail is far from private at any level. If users want privacy with their e-mail, they should use their personal accounts on their own time.
I wholly agree that the company owns the computers, but what you write belongs expressly to you. I know that in the US the laws don't reflect this opinion, but it is up to everyone to put a stop to invasions of privacy.
From my point of view, scanning email does represent in some what more of a problem... but look at it from the "bright" side, you don't read the proxy log to see wich WEB site where visited by whom etc.
Where I work (an High School) I have to monitor "Students" web trafic to ensure that there is "no" porn site visited and other "not allowed" sites. The only thing is that I don't only get to read the student trafic but also the "Staff" trafic forcing me to learn TO MUCH about some people by the web sites they visit when they think nobody is looking...
A good solution I found to that (and a good argument to prevent the "scanning") is to plead to my superiors that knowing "so much" about my coworkers would affect moral and relationship and would be a bad thing for everyone. The solution I proposed is to gather each log in a DATABASE and Run a small "home made" search engine to verify suspission on one individual.
Hope you could understand my poor: 3:30am english.
As posted above, have your mgmt/HR dept. come up with a definition of what they mean by porn, and make the scanning policy public--including what will happen to people caught violating it. Whether the company is right or not, anyone with the moxy to take them to court will have an easier time doing it if they don't do this up front.
;-)
Then ask mgmt just how they expect you to scan for porn. Are they looking for curse words in the subject or text? If so, is s*ck one? Are they looking for picture attachments--how do you scan for that? Are they looking for URLs to porn sites? (Do you have a list of all porn sites on the web--you really should publish that --> so everyone knows NOT to go there
When mgmt comes up with these plans to "increase productivity", I "respectfully recommend" that they work their own derrieres (is this porny?) off figuring out how to implement them.
I also wonder how the people that come up with these plans have so little imagination that they can't figure out that as much, if not more, time will be wasted trying to come up with ways to get around the ban, as was spent by a few folks who just needed a little stress relief. I mean, what proof do they have that the activity exists to the extent that it warrants spending a sysadmin's time playing junior vice squad?
Why not use PGP et al and encrypt those 'sensitive, job-endandering' emails. Start giving out your public key to all your mates, encourage them to send you their's. And the suits can scan all they like....
Its a hassle, but its peace of mind.
Oh, I forgot to mention the reason I was going to post in the first place: I was going to say "Warn them first", which is how my posting ended up in this thread. But I got off track when I saw the posting that, when paraphrased, goes something like this: "they don't have the right to search their propery that we're using." I felt the urgent need to respond to that and forgot what I had set out do do... my fault.
:)
I think "warn them first" is the most important message. We all use company software, hardware and or e-mail for personal matters, and my policy has always been to warn first for things like porn searches and so forth. It gets the stuff cleaned up and avoids any undue embarassment, or an otherwise-productive person from getting fired for something stupid.
By the way, I still think the handkerchief analogy was dead-on
RP
> The fact that your company can use the excuse
> that because they paid for the bandwidth
> they own the mail is scary.
It's fair and it's right. Company e-mail is company e-mail. Got personal stuff? Send it through your own.
> If my company buys me a notebook and I write
> something offensive in it, can I be fired
> for it?
If I borrow your handkerchief and crap on it, you'll probably want to not let me use your handkerchief anymore.
> Do they have the right to search a bag if
> they buy me one?
Of course they do. It's theirs. Sheesh. You want something of your *own*? Quit using the company's stuff.
That's my take.
RP
I'm kind of a connoisseur of free email sites. M&N.com does so many cool things, like the SSL layer, no tags on your email, full POP access... But the web interface is pretty slow and clunky, and there are unexpected holes in the functionality (you shouldn't have to wait five seconds for a new page to show up so you can select a name out of your address book, for example...) But there is no perfect free email address... :)
Great idea! Not the part about subscribing them to porn lists. That's not playing fair. But you may be able to win while playing fair. Hit the people in authority first. Hit the big time suits; hit the HR people who started the witch hunt.
Though I am on the side of privacy I think that when you sign on to a company and you read the rules and the contract and put your signature on it that you wave your rights in the workplace. Everything is owned by the company, every e-mail, every v-mail, every cached little file on my machine and in my network space. They have made it clear that they own and can do whatever they want including going through my files looking for porn or whatever makes them happy. Do I agree with this? Well, I signed the contract. Would I do it if I were the admin? If requested to, yes.
This shouldn't even come up. Why the hell is anyone downloading porn at work anyway? If people are dumb enough to be fucking around at work, then they are taking the risk and deserve what they get if they get caught.
I can't let this go without commenting - drug tests examine your behavior both on and off the job, while the mail scan is only investigating activity on the job. There's a big difference as far as privacy rights are concerned. On to the next point -
There's nothing "gleeful" about a company protecting itself from activities that could affect it financially, be it drug-addled delivery truck drivers or weirdos downloading and posting kiddie porn. It is a fiduciary responsibility - officers of a company are required to protect the assets of the firm, including "sue-able" assets, and the auditors would find them legally negligent if they didn't do this!
Everyone will start to cheer when you put on your sailin' shoes.
Bad idea! Don't make the judgement call yourself. Because if you do and there is any kind of dispute you will be held responsible. Either report nothing or EVERYTHING.
Reporting EVERYTHING actually serves a purpose. Overwhelm the suits with 10's of MB of data every day or week and let them sift through it. If they have to do the work of sorting through it they will soon loose interest.
Well, we are assuming that this person is in the US. THe law varies from country to country.
I was asked many years ago by a customer to install monitoring software to check the work rate of secretaries. I POLITELY said that I felt uncomfortable about that and requested that if they wished to have that software installed, then they should contact my manager. If necessary someone else could come and install it. As long as you are polite, and reasoned in your arguments, most employers should respect this. If not, then you've got a good reason to find something else.
Note that in some countries this is illegal unless the employees are officially notified. There can be some fairly restrictive rules on how and when this information can subsequently be used.
As it seems, the problem itself is not just with the monitoring but that the HR department is forcing a policy on everybody. From research I have read, productivity in the office increases when the employees are able to make the policy of monitoring. If the employees had more input, I don't think this would be as major of a philosophical issue as it is.
The other problem is that too many companies have adopted a policy of monitor everything with no real reason to. I could understand starting to monitor transfers if there is a good reason to suspect something illegal going on. There is no way I would want computers I owned being used for illegal things. However, it seems a lot of companies just want to monitor everything first with no reason, and then make up a reason later. This is not just with computers but also with phone lines, cameras, etc. Of course this has resulted in several lawsuits against companies. The biggest problem it that is seriously demoralizes the employees of the company who soon no longer want to work there or just hate working there. The result is that productivity goes down seriously.
With the way a lot of companies are run anyways, it really doesn't matter much since the people in charge are too stupid to figure these problems out and why they are occuring.
Just my opinion.
This is not private at all. Anyone can have access to your account !
Even (more) secured web based sites aren't:
Data can be retrieved via the proxy, if your company use one.
I consider your post has an false advertisement for one of your company product: hotmail.
Scan it all. The users do not own any portion of that network, the firm does, to include any Co. owned machines "at home".
Just don't scan privately owned equipment.
Eve Fairbanks says I drive a hybrid!LOL
1. Require the legal department to sign off on the policy (for all jurisdictions in which your company has a presence).
2. Set specific standards for proving that any e-mail pr0n was solicited by the recipient, and not spam, maliciously planted, etc. Depending on just how much you don't want to do this, your definition of the word "specific" can be just as flexible as Bill Clinton's definition of the word "is".
3. Set specific standards for levels of accidental access to typo-URL pr0n sites. See above re the word "specific".
4. For each amendment somebody makes at steps 2-3, repeat step 1.
If a policy ever does emerge from the black hole that is a legal department (I thought it was common knowledge that Legal is where you sent bad ideas to die -- I remember seeing a Dilbert strip about this from before the boss had pointy hair), there is always malicious compliance.
/.
/. If the government wants us to respect the law, it should set a better example.
Are y'all assuming that people f*'ng sign up for XXX spam? I'd rather break a toe. I filter it, but some sneaks through, 'cause I don't want to be too restrictive.
But I imagine a sniffer could catch the stuff before my filter weeds it.
Not to sound too anti-sexed, but I used to predict how lame a day was going to be by counting the number of Hot/Teen/Live/XXX/Sex spams arrived overnight.
Ok. I Have an idea. If someone is downloading porn and keeping it to themselves, what is the problem? if someone else happens to see it, and find it offensive, then the problem starts. i think, if reported, then the person who has the porn (or other offensive content) should be warned, and if reported again, diciplinary action be performed. this would root out many privacy issues and make the overall situation better in the long run. It really pisses me off when someone finds something even slightly, then without trying to rectify the situation, immediatly cry out "LAWSUIT". This is ludicrus and plain stupid. If you are going to monitor the people's accounts, definately warn them. to do otherwise would be wrong IMHO, though it is still an invasion of privacy.
It's not a time waster, but it can be a big waste of disk space. Once, on a machine that I began to administrate, I discovered that almost all of the disk space was being devoted to porn.
I don't care if anyone looks at porn or not, but I do have a large issue with people who uses up so much shared resources on such a non-essential item.
I'm not sure if I'm real.
i don't think that the company needs a policy expressly stating that all email is their property, it should be a given. obviously, there should be a code of conduct that office workers are made to understand that clearly states that there should be no pornography passed around the office, be it in email or on paper.
however, this company is within every right to read their employees email. it is THEIR company, not yours. if you don't like it, you don't have to work there. if you find that highly objectionable, then you really should talk to your companies higher-ups about it, and attempt to persude them to change their policy. if they don't and you are still strongly opposed, i suggest you get a job elsewhere.
The company owns all the equipment, and has the absolute right to search the mail. They provide your computer and email as a tool to do your job. You can't take a company car for a weekend in Vegas, and you can't use your email for porn, if the company doesn't want you to.
Having said that, it's really a matter of whether or not you want to work in a culture that goes on witch hunts like that. A culture like that is bound to be repressive in other ways also (I bet you wear a tie every day, even if you are going to be crawling on (or under) the floor!)
I have worked in that type of environment before, and would never go back. I now work at a company that doesn't give a damn what you look like, or what you do in your spare time, as long as you get your job done. I'm happier now than I've ever been.
Think about how many hours you spend working every day. Do you really want that kind of weight on your shoulders? I certainly don't.
However, I would say that the writer probably was thinking of a male, because most sexual offenders are male, as you pointed out. This is a blinder type vision, and could turn around and bite some of us in the butt.
I think it's good that you pointed this out to people, because just because your neighbor is a lady, doesn't mean that she doesn't want to do things to your children.
. when in danger or in doubt, run in circles scream and shout --Robert Heinlein
1.) It's a large bureaucratic company
2.) It's HR, the heart of the bureaucracy.
I would find a smaller, less bureaucratic company to work at. Generally, the smart people of the world aren't working at large companies anymore. If you're working at a large company, and you can't get hired by a small startup, you're either 1.) inexperienced, in which case your situation is temporary, or 2.) incredibly lame.
If you are (1), then do the bare minimum to satisfy HR's requirements. Give them a few token heads on a silver platter, keep your head down, and *get* *out*. If you are (2), just use your inherent incompentence to keep everyone's privacy safe.
it seems that in a situation like this, you should make every effort to make everybody happy.
do the scan. make the reports....and make the suits happy.
but before that, send an email to everybody reminding them (in a particularly urgent way) that all email is company property, that transfering porn may get them fired, and than that you have been given the right to scan email for such material (and that you may excercise that right)
wait a few days, then do the scan. if anybody failed to heed your warning, then its their own fault.
-james
"He was a wise man who invented God." -Plato
Pure and simple, do what your told. BUT, post some messages to select newsgroups, using those who asked you to snoop. Results, unsolicited pornographic email. Personally I detest unsolicited email; but everything can be a tool in a fashion. BTW, yes it will work for you, it has worked for me (in a fairly large company I was on contract to), and it will work for us again.
What if you make a typo and end up at some porn palace by mistake, and then as you keep hitting the back button and close box, more port sites keep popping up?
There's a lot of pr0n sites that get close to a real site's spelling just to trick you. Some I've stumbled into include icrosoft.com and licos.com
As a SysAdmin, I get paid to keep my systems running - period. I don't get paid to surf email. First, they'll want to check for porn. Then, they'll want to check if people are releasing company secrets. Eventually, they'll want to know everything that's going out in email. Damn Stalinists.
Many posts have said that it is well within companies' legal rights to put forth a policy like this as long as no prior guarantee to privacy was ever made (I don't think this is ever the case). I do not look at porn at work (although I usually have a slashdot window opn ;), however, as an employee, I would really feel paranoid if I knew somebody was watching all traffice that passed through my machine. If a policy like this was set in place I would probably start looking for another job. Imagine if you had "paper" job, and there was always someone standing next to your desk, or a camera over you, watching every single thing you do, making sure you didn't abuse company ledger and take company stationary and writing utensils. Sure, it would be illegal to, and you probably don't do it anyway, but it would still probably reduce your productivity if not job satisfaction. At a job I like to think that I'm working, not the company working me.
It's 10 PM. Do you know if you're un-American?
oh.. and my friend Dave has another question for you: You mean that you have been in a position where you can scan for pron and you havn't done it yet? You really are one of those "good admins" that we hear about. How in the world do you keep your (l)users in line? Example:
"Todd, I can't seem to access my email"
"Yer, that would probably be because of the size of your mailbox due to all that pron you get every day.. I'd say you just got an extra large amount of it today and the email program you use, Netscape Communicator 4.0, is taking a long time to download it all. Just go back to your office and wait"
"Yes, sir." - the executive head of human resources walks away.
another example:
"Todd, we've noticed that you have installed a quake server and have been actively encouraging the marketing department to 'get their arses kicked' by you when they should be working. Can you take this off the server please"
"No, we're not going to be doing that"
"Oh.. well I'm afraid I'm gunna have to ask you to."
"OK.. well I wasn't doing anything important anyways, just leafing through your email to your friend in New York.. ya know, the one where you explain to him how you manage to get your pron subscriptions not to show up on you and your wife's joint credit card..."
"Well I guess they can still play on their lunch break"
"Yes, I guess they can"
Todd is a figment of my imagination.
How we know is more important than what we know.
What happens to the guy who's wife emails him about the great time she is going to give him tonight and it ends up in some manager's (who happens to be very christian) email box? How will you feel when that manager takes it upon himself to cause as much trouble for the "Godless heathen" as possible?
Then you're an idiot to expect anyemail to be private. You wouldn't send credit card information over email, so why would you send anything else that is private? (If you knew how they worked, you would also not say private things on a cellular phone).
Also, although I've seen this a lot on Slashdot, it is my belief that you should not eliminate something good, just because it could evolve into something bad. Think about banning debuggers just because they could be used to crack some copy protection scheme, or (ala UCITA) allow you to reverse-engineer software.
I have an expectation of privacy when I encrypt something, or when I use a land phone line. I do not have an expectation of privacy when I send something in cleartext over the internet, or when I say something over a cellular phone.
It's quite simple.
--------
"I already have all the latest software."
How do you say "him" using the term "one"?
--------
"I already have all the latest software."
Why is there always someone who will bring this up?
I personally refuse to write "him/her" ever. Why? Because it restricts language. Assume that 1000 years from now, we encounter an alien life form, having 12 sexes. Are we going to list them all any time we want to refer to any of them? (him/her/it/bhir/jior/shior/ghet/etc...)
No, we won't, we'll just use "him".
--------
"I already have all the latest software."
You can tell by reading the logs whether or not someone accidentally got in. (following 5 links deep is a sure giveaway, not to mention having 20 porn hits in 2 weeks)
--------
"I already have all the latest software."
By the way, I wonder how much space it takes on Slashdot's server to store a 3 word comment saying:
"Yes, I agree."
--------
"I already have all the latest software."
I believe "expectation of privacy" is a legal term. You have an expectation of privacy in the washroom, although someone may install a camera there.
--------
"I already have all the latest software."
Dude,
If you're a good sysadmin, and you're reason for leaving this job is that you weren't willing to help these lusers pull this big-brother shit on their employees, then any decent ISP would take you in a hearbeat.
A good sysadmin is *hard* to find. Let them find that out. Also, if you tell them no, they may get a clue that it's not OK to do.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Images depicting having sex with children as a gratifying and positive experience are pretty likely to encourage pedophilia. Hate speach encourages hatred. What people say (or draw or whatever) does affect other people's opinions and how they act. If it did not, there wouldn't be much point in having free speach.
When someone willfully disregards the effects their speach has on others, they are behaving irresponsibly, and at a certain point that irresponsiblity becomes criminal.
You're being paid to work and be productive, not punch bobo, however if thiers nothing to do.... (I spend some time reading /. at wotk) But a policy is a policy. i.e. "Any caught using company network to access pornography will be shot on site" I say scan away.
"If you love someone, set them free. If they come home, set them on fire." - George Carlin
The bigger issue is this - what exactly does a company achieve by resorting to petty monitoring, other than ruining its own culture and terrifying its employees?
The company's goal is to reduce the risk of lawsuits, plain and simple. We've all laughed at the stories of ridiculous sexual harrasment lawsuits, but for a large company it is a real threat that is always expensive, whether the allegations are justified or not.
If a company were worried about bandwidth, it would institute a limit on attachment size or something similar. That they are concentrating on porn shows they are more concerned with harrasment suits. It is easy to say "But I'm the only one seeing this," but what if a co-worker walks up behind you without you knowing? He or she could allege harrasment, which would cost at least in the tens of thousands of dollars just to defend if it went to court. The problem with the current harrasment laws is that the victim defines what is harrasment. Whatever I say is offensive in my own mind is harrasment.
It is against these kinds of lawsuits that the poster's company wants to defend itself. I've never met a manager that wanted to find employee's porn just for fun. They're just trying to protect the company from lawsuits. (BTW, Playboys in your drawer or dot-matrix printouts can be harrasment if someone that happens to see them is offended. I worked for a publishing company where the boss found, and immediately destroyed, an employees stash of mags.) What we don't know, and HR would never tell, is what the events are that precipitated this move. Maybe it's just technophobia, or maybe there have been incidents the poster is not aware of. Given the number of confessions in this forum, I wouldn't be surprised if it were the latter.
Be very, very careful with telnet. Unless you know what you're doing, it is all plain-text. Capturing packets from a telnet connection on your network is very simple, and they are in a nearly human-readable form immediately. You're best bet would be to setup a web proxy on a server you are familiar with (maybe a comp at home). Config the proxy to run through Apache and make it https://. Then you can use hotmail and read the web, and all a packet scanner would get out of it is complete garbage.
-- Terry
Maybe not of interest to most of you, but where I come from (Norway), it's illegal to scan traffic/mail whatever, even if it belongs to the company, as long as there is no major security hazard/risk suspected.
Privacy is respected.
Level 1: People who won't get in trouble...it's safe to let the bosses have their way with them
Level 2: People who would get in trouble...do everything possible to protect them
Level 3: People who should get in trouble...tell the FBI they've been downloading kiddy-pr0n
--
"HORSE."
"HORSE."
-Flaming Carrot
I spent a couple of years as a network admin at a company with about 500 employees. Around 200 hundred employees did order entry in a call center.
This company wanted no monitoring, limitations, or lockdown on desktop PCs. It wasn't surprising that the company was not profitable. This was a very costly policy.
Common/ Constant Problems encountered:
- Employees surfing for porn for hours during 9-5. This happened all the time. The proxy logs showed who was most active. Shouldn't the company know if employees are not working? If an employee was sitting around reading playboy for 2-3 hours everyday shouldn't they be counseled and then fired if they do not start doing their job
- Employees surfing entertainment sites. I could walk around and usually see at least 20 employees in the call center glued to ESPN's home page. Considering it was a computer company was that really right? If an employee sat around reading sports illustrated all day, that's a problem. If an employee is at ESPN all day, that is a problem - and hard to detect.
- If it were your company would you be happy knowing that employees are getting entertained instead of working?
- Email - used to pass porn, games, Word macro viruses that blew out most of a call center (I had already gone). The system's in the call center had to run some very strange, very problematic third party, non-commercial apps. It gets really old, really fast when employees keep crashing their systems because of some strange program their buddy emailed them. On one occasion I went through and traced through a software trading ring that existed in the call center - it usually took about 2 days for a program to hit 80% of the call center.
- The female employees do NOT like seeing hard core porn on their coworkers screens. This happened a lot, daily in some instances.
Because there were no clear rules, a very ugly form of favoritism evolved in the call center. If the managers liked an employee (Or often if they found a female employee attractive) the employee could get away with a anything. They easily fired many hard working, but unpopular employees.
Eventually the call center deployed a PC and phone call monitoring system. At any time a manager could be listening to the employees phone and viewing their PC screen - and recording everything. Call Center's love that technology, personally I find it TOTALLY offensive. I think it has little value and simply indicates incompetent management. A good management team would never use or need such methods.
There needs to be a balance. A company needs to manage operational costs, keep productivity high, and respect employees. If employees are not respected, the most valuable will depart.
A company needs to clearly and public state what is acceptable. Any "measures taken" should be kept to a minimum and made public knowledge - Big Brother works in secret, a company working to contain costs should not. Employees need to be trusted and respected. At the same time though, some measures have to be taken to keep costs down. At the company I was at, there were a lot of young people that had not worked very long. Some restraint was needed. I saw what happened with no restraint and it was ridiculous. Some IS employees started referring to the call center as "High School" - it was all about being popular and getting away with as much as possible. I am serious - it really was like this.
I think acceptable measures are locking down desktops completely and blocking access to non-work related web sites (that's why its called work!). Fire employees that get caught a third time viewing porn. Fire them because they are not doing their job - don't even bring up the porn issue.
I like locking down and blocking. It sets limits but does not invade privacy, it is not watching over anyone's shoulder. One alternative is have an open environment, which rarely works in the real world where there are hundreds or thousands of users. Another alternative is monitoring, and that is to degrading and disrespectful.
Please don't flame me. I know how popular my opinion isn't. I'm just relating my experience and if you know of a better way, I honestly would like to know.
If I choose to walk to the a gas station on my lunchbreak and buy a stack of girly mags, that happens to be my business, and my business only. nothing anyone can do about it. (assuming ofcourse that I'm buying legal porn, not the "12yr old and 3 sheep!"-kind.. which I highly doubt any gasstation has in stock..)
No one can understand the truth until he drinks of coffee's frothy goodness.
--Sheikh Abd-Al-Kadir, 1587
I LOVE this! Do it!
"I didn't kill that guy--a bullet did! All I did was point my hand at him and twitch my finger. It's a bullet that did all the killing, not me."
--
This is not my sandwich.
If their workflow is "fscking everything else up" why don't you fire them for that? Isn't that enough?
It seems to me that scanning email for porn is less effective than firing those that aren't doing their job for whatever reason.
Waiting 'til someone gets spammed with porn then firing them is too easy to abuse.
The liability of the company for contraband and sexual harassment is another matter. The company should define *exactly* what they wish to ban in that case -- it shouldn't be up to a sysadmin to make decisions about liability or morality -- they haven't been trained in those fields.
Jim
"Your at work, to work. "
:). How 'bout those people working 12 hours and getting paid for 8? They supposed to concentrate on work and nothing but work all 12 hours? Thanks to unions most folks have lunch and coffee breaks now, at least.
It's nice to see the Puritan ethic still alive and well
Separate the moral issue from the rest. If someone isn't producing, warn them, then fire them. Don't worry about analyzing why unless the employee asks for help. Similarly for drugs, test functionality, not blood or urine.
The liability issue is one I can't see an easy solution for. I think it arises from our basically broken culture -- sexual harassment seems to be a combination of asshole behavior with extreme sensitivity. When a company engages in a culture of sexual favors for promotion they deserve being sued. I can't see their liability when an employee misbehaves unless they refuse to discipline them, or if repeated, fire them.
Possession of illegal information being a crime (say what!?), the normal standards should apply. Presumption of innocence, requirements for probable cause for search. Corporate workplaces define the 'laws' we live most intimately with, what good are general civil rights if we surrender our civil rights there? Can't you imagine a future where corporations provide very nice housing for their employees and monitor everyone's internet connection 24/7? Don't worry, you'll still be able to choose *which* corporation monitors you!
Jim
Actually, I think the key word is 'recording', not 'monitoring'.
Thanks to Linda Tripp, I suppose everyone knows by now that state laws determine whether you can legally record a conversation.
"A one party state means one party to the telephone conversation has to have knowledge and give consent. In a two party state, all parties must have knowledge and give consent. It would appear that, if a telephone conversation crossed state lines, federal law would have jurisdiction. "
I found this URL to be pretty informative. Look up the place you live in. Oddly, most seem to be one party states.
http://www.pimall.com/nais/n.tel.tape.law.html
L.
"Be very, very careful with telnet. Unless you know what you're doing, it is all plain-text. Capturing packets from a telnet connection on your network is very simple.."
Agreed. However, I think it's extremely unlikely that any company would bother to monitor telnet. In most IT depts., telnet is such an arcane thing that almost nobody uses it, and I'm pretty sure most HR people are unaware of it (I'm talking of regular corporations here, not hardcore geek shops, so don't get all agitated when I say almost nobody uses telnet).
Unless, of course, some weasel sysadmin reading this goes on a telnet sniffing spree. Oh, what have I done?
L.
:)
I beleive the best way to go would be to send out a message to everyone saying that they are going to be watched. If that doesn't scare people into not doing whatever it is that they were doing, I guess it's too bad if they get caught. Now if they're asking you to monitor and report people WITHOUT them knowing about it, that's bad, and if I was in that position I'd like to think I'd refuse to comply on moral grounds, but losing my job would be pretty strong motivation not to.
I'm a Microsystems Analyst in a samll hospital. When we began to provide Internet Access to employees, we all signed a short but very fair piece of paper, saying that "Viewing, dowloading, or e-mailing inappropriate material (such as pornography, violent images, offensive language, etc.) is considered grounds for immediate termination of employment."
But exactlly what is considered inappropriate? I mean, I like my porn as much as the next guy. Give me porn or give me death. But, what I consider pornographic may not be what my boss or other co-workers consider to be pornographic. Great care
sould be given in deciding what you sould be checking out on the net.
The companies we work for hires us to do specific
jobs. They give us tools to do these jobs. They give us Net access to be more productive at these jobs. It is not our jobs to be smutt surfing at work. That's something that you should be doing at
at home. This isn't a question about censorship, it's about proper work ethics.
At the end of the day we can all go home and surf
for all the smutt we want. And I know that I for one shall do EXACTLY that!
Good Point. When I defaulted to the dir. of IT at my company, (I was the only one left in a downsizine, I have no staff), I was shocked and appauled that they forced me to go to a sexual harrassment seminar. Them I found it was state law.
At my company, sexual harrasment is in the eye of the beholder, so anything discomforting about the workplace can be deemed sexual harrassment by those go so far as someone touching someone too much or a poster of a hot chick leeringly promoting a chat site on a CD cover can be considered harrasment. Lawsuits scare companies. All money must go to stockholders.
Their answer has been to have zero tolerance policies against SH.
I found myself telling another manager that a screen saver on one of his users' machines was could be considered offensive to others that might see it (it's a 50's pinup photo with a woman wearing stockings.
Then again, one guy and the guy I replaced were notorius for downloading porn at work.
Ramble, ramble ramble...
I was once told that when Microsoft was first connected to the Internet, the guys in Network Ops watched with amusement as the caches began filling up with hits from porn sites. Fortunately they didn't particularly care, and apparently still don't. I mean c'mon, if they were paying attention they might notice I was posting to Slashdot, and then how would I report in?
Excuse me, there's somebody at my office door.
--
Someone you trust is one of us.
Moderate this up.
The written policy appears to have been different than the executed policy. Individuals should be given warning of the sea change. At the very least, asking for this buys you time.
All of the posts I have read are missing the point. This guy is doesn't want to be a voyeur, he doesn't want to be a babysitter, he doesn't want to be a tattletale. He doesn't want to be any part of any implementation of a privacy policy. His question is: can my employer *force* me to do this distasteful, snoopy job?
The answer to that is: yes. If your goal is to keep the job no matter what, and they are really insistant and will not let you back out, then you will have to leave or you will have to get fired. Most states have employment-at-will, which means that you can be fired anytime, for any reason or for no reason, and they are not required to tell you what the reason is.
What would I do? Well, first, I am such a straight-laced cuss it may be that no one would even dream of putting that kind of request to me. But if they did, I would firmly state, immediately, that I would not do that, and they could do whatever they want, but it won't get done, get someone else or fire me or whatever they want to do. Basically, I would let them know in No Uncertain Terms what my position is. Then I would leave it up to them.
This seems like fair and equitable way to do a dirty job. What I object to is periodic complete or random scans.
Make a hotmail account and spam the suits with porn advertisements. Turn up evidence the CEO, CFO or other high ranking officials have been receiving these porn spams. I'm sure the problem will dissappear then.
It depends where the original poster was from. In the UK, my lawyer friend tells me that it is perfectly legal for someone like a sysadmin to read email and documents if they do not have to alter the system (crack it, for example) in order to gain access. The same goes for telephone taps and the like.
I have no idea what US law is like, they are a little more concerned with their rights, though it is changing over here.
> You have got to be kidding! What happens to the guy who's wife emails him about the great time she is going to give him tonight and it ends up in some manager's email box?
;-)
Get the husband and wife to use icq.
Then delete your message history at the end of each day.
Seems logical that if you have email access, then you have icq access.
I was stuck in an odd position dealing with this sort of thing.
:)
:) I don't know how many port scans I did on their firewall from the outside, but they never once noticed. But they bought a firewall appliance -- a BSDI box with a gui administration front-end -- so it must be secure.)
:)
My advice is for this kind of think, try to work the "word of the "law" to your advantage. Poorly-written company handbooks can sometimes be your friend.
I was a sysadmin for a small (50 or so employees) company. It was pretty much a grass-roots organization. I think we had maybe 2 levels of management. I don't think monitoring employees ever crossed the minds of "management".
Then we merged with another larger company. Things really changed over night. Though the company now wasn't *that* much bigger (250 employees), we became so bogged down with bullshit corporate red tape it wasn't even funny. I think the Titanic had a smaller turning radius than this little company.
Well, the new "HQ" totally flipped when they found out we weren't firewalled. So we whipped up a linux box and in a day had our internet connection locked down. It turns out they really didn't give a shit about security -- they just wanted everyone to go through thier firewall, which they dutifully logged all access.
(An aside: These morons, who tried to push thier "Security" on us really had things wide open. For grins, I hopped onto my personal ISP account one night from home. I was able to use their proxy server to proxy behind their firewall. Of course I informed them, and it was quickly fixed -- but I never got so much as a thank you.
Anyway, morale took a major hit. People were always cursing under thier breath about "big brother" and such. I was as much as victim as my users were, so I tried to do the best I could.
My view, as an admin, was that while the Company had the right to monitor thier resources, users had no obligation to make it any easier. I set up a junkbuster proxy at our site, which proxied off of the "official" corporate firewall. All connections were logged at HQ's box (I turned off junkbuster logging), but they could only narrow it down to our site. If an abuse was brought to my attention, only then would I consider other measures.
Furthermore, our Intellectual Property Agreement wasted a lot of paper on trying to protect company data/info/etc. So I felt a moral obligation to protect my email from anyone hacking the mail servers. Naturally I used PGP -- I even had a registered copy for my office workstaion. I encouraged others to use PGP as well, but as most here might expect, it was too much trouble. I was never called on the encryption, but I would have held out for a court order to unlock my mail.
It's a shame, too, as there were several cases where the corporate goons did a sweep of everyone's mailbox. I was browsing the event logs on our local Exchange server, when I noticed that one of the corporate admins had systematically opened up every one of our mailboxes. I enquired and pressed for a justification.
Here's what I got: Being a software comany, they held several user conferences a year. At the most recent conference, it was alleged that a competitor got a hold of a list of customers who were attending and chartered a riverboat dinner cruise that same time/location as our conference and invited everyone who was registered to come to our event. Naturally, management suspected one of their own and went on a witch hunt. I thought the whole thing amusing, and somewhat clever on the part of our competitor. I would expect nothing less from players of a sales-driven industry like ours. I don't know if any of our customers even took the offer, but it sure pissed off our top brass. So they went through everyone's mail in a vain attempt to catch someone.
I objected to this. Though our competitor's sneaky trick may have hurt our ego, I personally don't consider a list of conference attendees to be proprietary/sensitive data, certianly nothing to warrant an invasion of privacy. I thought the manager who authorized the scan was way out of line. I stated that even though the company had every legal right to do this, I felt as custodians of computer resources, we had an ethical obligation to use our power only when really really reall warranted. I also felt we should publicly expand on just what we were capable of monitoring -- as a deterrent. I was immediately shot down by an over-zealous officer of the company. Paraphrased, "When the police tap the phone line of a criminal they don't tell him when and how they do it." His logic was faulty in that he assumed everyone was guilty from the beginning, but I didn't press the issue further. I just made it a point to answer honestly and completely whenever one of my users asked about what was monitored and how the technology worked. I even offered advice on how to circumvent the monitoring, if possible.
My holy grail during this time was to find a proxy on the net that was like Anonymizer but 1) used SSL (admins can't watch traffic) and 2) somehow hid the destination URL (unlike anonymizer). I never found such a service, and I have since been fired from that company (for a completely different issue). I now work at a large public university, where at least invasions of privacy are protected by law. Better yet, I admin unix rather than NT.
Is it possible to guarantee that those people won't get into trouble?
Nope!
I was fired for forwarding on a joke about Ebonics from a mutual fund company a few years ago. I didn't make it up. I didn't even send it to the person who was upset. My friend thought it was funny. He forwarded it to someone else. That person printed it. Yet another person read that and *I* got fired!
So, don't make decisions on who will and who won't get fired. You may be wrong.
~~~~~~~~~~~~~~~~~~
Tom McKearney
---- It puts the lotion on its skin or else it gets the hose again. It does this whenever it's told.
Companies are liable for employee email
Halloween documents, harrassment, everything
If you want privacy do it at HOME, or use appropriate encryption
but really just be glad they let you use them personally at all
I was a contractor at one of the largest companies in the world (in this case, a chemical/plastics plant). I lost my job over an argument with 'real' company 'administrators' (who often needed help with sharing a drive in NT) about whether or not I was allowed to encrypt my e-mail with PGP.
It seems PGP presented some problem for their e-mail scanning software. Something about a 'security violation'.
Privacy?
======================. http://www.nsacom.net | ======================'
Dammit, then, there should be more porn on /. You should be mailed a twinkie every time you surf to the website, too, just so it could be fattening, and immoral. It's not illegal yet. Maybe we should start to encrypt and make "them" think that it is. After all, only criminals encrypt...
I am not a number, I am a free radical
number 6.2
"If god did not exist, it would be necessary to invent him" --Voltaire
Don't worry about it. Simply scan it once or twice, send private warning letters to the users who have questionable material. Make the letters sound official and defend company policy so if one of the letters gets back to the hunters, you can simply say you thought they should have a warning first. Most likely all the porno fewls will ease up. You can say you scanned em every month or whatever, but really just let it ride. Management only needs to know what you decide they should know. Often in my job (SysAdmin) the CEO refuses to spend very small amounts of money (like $200 at a business that makes millions) for upgrades and/or hardware that we *really* NEED. I figured out that sometimes you have to make up a different reason that sounds even more important. Our network was getting bogged down because of high bandwidth applications we use. We were running 100BaseTx on a hub. I decided that we needed a switch to isolate the bandwidth between the two coworkers using the video application. The CEO said "No, we don't really need that. Everything works fine the way it is." Actually we were having all kinds of problems when the Database Client timed out from the server because two or four people were running video and lagging the hub to death. So in the end, I had to screw somethings up on purpose (like change the server's IP), and claim that the hub burned up from too much load. Then I told him rather than getting a new hub for us to burn up, we could get a switch and fix two problems at once. I know many other sysadmins who have to do the same thing in order for things to run smoothly at their job. What you have to learn, no matter what the subject (hardware,software,privacy,etc) is to simply tell the management what they need to know, what they want to hear, or what YOU want them to hear. If the management wants to hear that there's no pornography in the email, then by god, there's no pornography in the email. You are the admin. Use your power for good not evil ! (Except a little bit of nessicary evil)
At IBM, they monitor everything you get, every site you visit and if you go porn surfing then they fire you.
Yeah, right- there was a guy who used my desk at night. I'd come in and glance at the history file in the morning and find porn all over it. He's been told four times to not do it- he still does and he's only getting let go now that the project's over with.
Does your company have an acceptable use policy? and if so, have all the employees signed stating that they understand this policy? If so, then the question is quite simple, as has been stated numerous times in the threads, all resources are company related, and you work for the company, as an administrator if you find "non company programs" running on client computers, i doubt that you would have a problem removing them, why the fuss about email?
Most people are at work 8-10 hours a day supposedly to work, they have 14-16 hours outside of work to surf all the porn they want to.
I personally do not want to have to do the metrics required to keep my QOS levels where they need to just because users want to surf out of bound sites.
p.s. a search of google.com for "sample acceptable use policies" will return thousands of hits that might be of assistance.
Good Luck
/rant off
When the Spaniards cruised up the pacific coast of the USA (to log all the traffic using the various ports) around the early 1600's they pulled into a natural port (now called the Monterey Bay) and found a populous nation (The Esselen Nation) of organized and peaceful people at that port.
"The land [is] well populated with Indians without number...
They seem to be gentle and peaceful people..."
- Sebastian Vizcaino Dec., 1602
They also found those peaceful and numerous people stark naked! (egadds... porn over an open port)
"...They go naked at this port."
- Fray Antonio de la Ascencion Dec, 1602
And the battle over nudity over the open ports in the infrastructure begins in California.
1770 Mission San Carlos Borromeo was founded.
1846 US forces claimed possession of California.
1851 the first of many (always broken) treaties were signed with the Esselen Nation
1800s-1900s Massive eradication of the nude elements (and their sympathizers)
1999 there are only about 350 enrolled members of the Esselen Nation. (down substantially from "without number")
The battle is won. The (remaining) naked "heathens" are fully clothed, and all ports are preserved for decent law abiding non-naked traffic.
But wait. There is a new port. An electronic port in an electronic infrastructure. And we have discovered a nation using this port. And guess what....."They go naked at this port".
Your task, Sr. Cliff, (should you choose to accept) is to clean up this new port and make it safe for decent law abiding (fully clothed) citizens to tread. You must eliminate the naked nation which is using this corporate port.
The fact that no two snowflakes are identical should tell you something important about God's will.
Grammar?
Darn. The pedants are revolting.
Al
Because nobody except rabid PCers would understand you. A great suggestion for if and when the majority - or even a significant minority - both understand and prefer the use of an agreed neutral pronoun.
- ------------------ B aron Munchausen---
In science fiction, sexless individuals are often described as 'it'. But people don't like that applied to themselves; it has insulting overtones.
However it IS generally acceptable to use the gender-neutral plural: they, their etc.
Al
-----------------------------------------------
Your reality, sir, is lies and balderdash and I'm delighted to
say that I have no grasp of it whatsoever
-----------------------------------------------
Veni Vidi Vici = I came. I saw. I conquered. Julius Caesar about, I think, England.
- ------------------ - -------greyrose---
Vidi Vici Veni you can therefore work out for yourself.
Veni Vidi Visa = I came. I saw. I did a little shopping.
Al
-----------------------------------------------
"i saw a sign that had the distances to various cities, and it
said Los Angeles - 404 and i thought - what the fuck happened
to los angeles?!"
-----------------------------------------------
I can't say that I totally disagree with a company's right to scan their own networks (including email) for "illegal" and potentially damaging material. After all, it's THEIR network, and THEIR hardware/software you're using.
But, where is it to stop? How long before ISP's start scanning any and all packets that go through their network, looking for pr0n and other "objectionable" materials, and either getting the user arrested, or kicked from the service? Who's to say that someone with a cable modem might not be packet sniffing their entire neighborhood, find some pr0n, be offended, and complain to the ISP, and threaten to sue? You'd think that someone doing that would likely be kicked just for packet sniffing. But, with today's corporate fear of lawsuits, it's entirely possible that the packet sniffing luser might just get their way, and win a huge lawsuit in the process. It only stands to reason, then, that the ISP would want to prevent this from occuring, thus scanning all incoming/outgoing packets for pr0n, and either booting or prosecuting the "violator".
Just my $0.02.
-- You have moved your mouse. Windows will now reboot.
Well you could put a couple hundered MB of porn in the offending HR persons network directory or e-mail folder and get them fired... No more witch hunters, no more problems...
If you voted for Nader, THIS IS ALL YOUR FAULT!!
Its a touchy issue, but one cant always control what others send them, so unless they've subscribed their work account to a porn list or somthing, the only thing that should count against them is if they're /sending/ such material from their company account.
Needless to say not doing it at all is the ideal choice.
I was chatting this over with my systems administrator, and she tells me that you absolutely must not snoop into somebody else's files because the trust between a sysadmin and the users would be irrevocably broken.
She never su's into anyone else's account unless they are in the room with her and have given their tacit approval, or she's phoned them for explicit permission, or it's a screaming emergency and she must in case another World War breaks out.
Sounds like a good policy to me.
this post was so funny
Somehow, I don't think that if we run into a n-sex alien species that we are going to blindly use "he." I would hope we would find a good, decent, generalized term by then.
ufdraco
Well if it is after 1985 and when they were hired they were notified that their email could be read by anyone at anytime, then there isn't really (a) anything you can do about it and (b) any reason to have consideration for an employee receiving email with porn in it who's not cleaning up after itself.
:)
Don't worry - anyone smart enough has it all archived and off your mail server anyway, and the rest deserve what they get
keeping the world safe for prematurely grumpy old men for oh, about 7 years now
I agree and can relate.
My previous job (some years back), I had the misfortune of being told to scan all the office machines for games/screen savers (only blank screen saver allowed) and remove them (this was before email).
What's worse was I had to do monthly. It finally stopped as everyone knew when I was coming around, deleted all the stuff and put it back on when I left (save disks supplied by me:). Also I ( a few months into it and intentional) would take the machine down for quite some time while I checked it, which in turn had the departments complaining it was being disruptive and finally got it stopped .
Hi,
Our company had the same amount of problems. Worse yet; sometimes, very rarely, the amount of non-business data tended to take too much bandwith for our regular datastreams. Since you got 2 problems in this matter (privacy of a persons mail & company propperty / violating of company rules) I decided to take 2 actions which lead to a drastic decrease of these activities. Offcourse all of this was implemented after I warned the users what was about to happen.
First we stripped incoming messages of any attachment while sending the contents of the message to its receipent. The obvious graphic files (bmp,gif,jpg) were moved to a different directory while the system made copies of all other files. Since most of the users on my network attached stuff this filtered out quite a lot of illegal activities without violating privacy issues.
Besides this we scanned the size of the email message itself. Normally no email msgs were intercepted due to privacy but when a message reached a certain size (approx. 50kB and above) we (my superior and myself) would intercept and check it.
I found this to be the best solution. Personally I don't think there is an "out of the box" solution for these sort of problems. The best way I can think of is to analyze the situation and take appropiate actions.
I am a Net Admin and I have to do it as well. How I handle it is I go look for it and if I find it, I play "Dutch Uncle" and give the individual a heads up. A few minutes later it's gone. No problem. That way, the two of us are the only ones who know, and no one gets fired or black balled.
If this is true, aren't most ISP's businesses that reside on private property. Your mail passes through at least one isp that belongs to a private business every time you send mail. So someone always has a right to go through your mail right? Wrong.
Exactly. Then suddenly the administrator is given the power to get anyone hired and fired...which in a way, we kinda have anyway. The questions not whether you have it, it's will you abuse it. abusing by using it to violate peoples basic rights to privacy is for weasels.
OK, there is only so many lies one can see in one post before one has to reply.
In Elizabethan english, there was both a familiar and a formal version of the second person singular pronoun. The familar version was "thou" or "thee" Thou as the subject of a sentence: "thou hast a chicken on thy head", and thee as the object: "I despise thee." Neither of these words were every written with a thorn.
Ye is a formal variation of the plural "You" as in "Hear Ye! Hear Ye!"
The Ye of "Ye Olde Shoppe" is however a transliteration error - it is pronounced "the".
Get your trivia right.
Thinking of Maud you forget everything else. -- hack v1.0.3 [] Who was that Maud person anyway? -- nethack v3.1.0
Your at work, to work. And I know I know that you need your privacy, but get down to it, companies want the mighty buck. And they want to get what there paying for, your on company computers to do company work, if you DIDNT have computers, you think companies would like you walking down the local gas station and buying girly magazines? I dont think so. But whatever.
I don't think anyone would see anything wrong for a company disciplining somebody who had a huge long distance bill to 1-900 porn sites. Why should they not halt time, space and bandwidth waste of their Internet access?
I monitor Internet use looking for bottlenecks and bandwith problems. I would rather save bandwidth by stopping access to porn sites than access to system upgrades.
No problem... I simply ssh to another box where I do all my email. I don't give my work email address to people unless it will only be work related. Of course, with email, you can never assume it will always be secret.
As others have said, almost every company has clauses that give them the right to monitor all network traffic, including your e-mail. As has also been said, abusing this will create a hostile work environment.
What I have not seen addressed is which department has the authority to order this. If the HR department has the authority to order this, then the HR department has authority over the network, something they are not qualified to manage.
Furthermore, the likelyhood of being dragged into corporate politics increases greatly, something most engineers want to avoid and something any good compony wants to help them out on. I mean, if you owned a company, would you want your SA's playing politics? After all, they have access to sensitive information and are usually the only ones authorized to use network monitoring software and hardware!
And there is of course the issue of the SA's time. Most places are understaffed when it comes to SAs, so the likelihood that they are working on something else that is more important is pretty high. And what about spending money to buy monitoring software (hey, if HR was shoving something down my throat I'd be much happier buying somthing to do it than to have to write something to do it)?
Unless necessary (e.g. financial institutions like Edward Jones and A.G. Edwards) monitoring e-mail should be done against individuals when suspicious activitiy is detected or complaints filed.
As others have pointed out, any hours I work over 40 are on MY time. If the company expects me to work more than 40 hours then they have to give me a certain degree of privacy, because I will have to do some personal things from work.
The bottom line is that the HR department should have to submit a request for the network monitoring and then justify it. If they think they can demand this without a reason then you should either start looking for another job or have a talk with the company lawyers.
-- Argel
P.S. I would give a company wide warning before performing the type of monitoring you have been asked to do. Make sure you point the finger at the HR department, or you will take the "bad vibes" bullet when they are the ones who deserve it.
-- Argel
If I were you, I would agree to do it. Then send a message to every single user explaining exactly what you have been asked to do, and warning everyone. Tell them you may be fired for this, but it would be wise for them to watch what they attach to their emails as thier superiors have the desire to get snoopy.
... The machine that is America is oiled with the blood of the working class.
Oh yeah
Bwuckatah bwuckatah bahhh, bwuckatah bwuckatah bahhh!
Bwuckatah bwuckatah bahhh, bwuckatah bwuckatah bahhh!
7th Design
Not directly experienced with this, but aren't most corporate email servers set up such that the clients do no local storage, and that clients' delete requests just "hide" the info? Otherwise, there's too much risk of other evidence-destruction liability, common with insider trading or espionage litigation for hi-tech companies.
[
I'd say scan it... but I'd give them fair warning. That or else send a message to the people telling them you are going to scan it, and send company policy to them, I am big into the whole "privacy" things as well.. but I also firmly believe that if they are getting their work done, and keeping the information the do INSIDE the company, who cares what they look at, everyone basically is a freak of some sort, whether you look at flowers all day or stare at some woman bending over... most likely in today's day and age, SOMEONE will find it offensive...
Ich fing ein helles Niesen ab, Träumte einen kleinen Traum, ich aufbaute meine eigene hübsche Hassmaschine.
Well, I'd have to agree with some people that chances are that if you don't do it, they'll get somebody that will.
/ PAPERS/encrypt.htm
Reach a compromise that all users are notified of the change and be sure they all know that any images included in their email will likely be looked at. Also, at approximately the same time you can publish a memo on the importance of making sure your email is secure and that any sensitive data should be encrypted. Point them at the recently revealed Canadian "email encryption made simple" that was on slashdot a few weeks ago http://www.ipc.on.ca/Web_site.ups/MATTERS/SUM_PAP
The really smart ones will start encrypting, the moderately smart ones will stop getting it sent to work and the dumb ones will get caught and fired. Natural selection at work.
Unbreakable toys can be used to break other toys.
I understand there are legal issues involved, but since the HR department seems to be the instigator in this, maybe this is the first department that should be checked, then at least you'll find out how serious they want this scan to be...
-------- This space intentionally left blank --------
If I were asked to do this, I'd have to do some thinking. Not whether or not I would do it, I know I wouldn't, I would just have to consider the manner in which I refused. I would probably explain (nicely) to my superiors that I feel I'm being asked to commit a grievous violation of people's privacy, without any good reason. This is not investigating one problem user to see what's going on, it's searching to see who is doing immoral things. It's not about bandwidth or disk space or other resources - if it were, we'd look at who's using the most and why. Or, we'd search for other types of non business related data, like games. It's certainly not about who's wasting time instead of doing work - people who do that have a lot of choices, and it's not like taking one away would have any impact.
I imagine that I consider assisting in a witch-hunt of this sort a vastly more serious violation of my morals than the people calling for the witch-hunt consider the porn a violation of theirs. I could not be forced to do this, I would quit if necessary. I would make sure what's going on is made public knowledge. The job market is good. At least at my current employer, while being caught looking at porn is a serious offense, the proxy logs are only looked at for a specific user when there's a specific reason. And nobody's email is *ever* being read to see what they're up to. And it will not be as long as I'm employed here.
I realize that the company owns the machines, and it's theirs to do with as they please. But unless there's a strong reason to investigate a specific person (probable cause, perhaps), the company should respect their employees' privacy. Compare it to parents searching their children's rooms, reading their email/snail mail/diary, or listening to their phone calls. It's just wrong.
That depends on your value to the company. If it would cost more to lose you than to have some porn floating about unnoticed. Nowhere I have worked would I have been fired for refusing to do this. They go through enough work to keep me from quitting on my own, they're not going to just fire me over something silly like this.
If they did (or if they forced me to quit), good. I will make sure that my coworkers know exactly why I'm leaving. Their anger over the situation will more than be sufficient revenge.
This is a very good point... I was actually going to say this. :) The thing to keep in mind is this, though: if the place you work for is anything like mine, you have to sign an agreement stating that you understand the rules of the company, and that you agree to abide by them. This means these people should know full well that everything put on their machines is the company's property. Therefore, they should accept responsibility for what happens.
As for the aforementioned suggestions... I doubt the sysadmin has any choice. He just has to provide the logs/information, and then management and/or human resources determines what to do with it. If someone gets terminated, it's due to the management's decision, not the sysadmins... and if you go against them and don't do the scans, they prolly will terminate you. If you have a problem with this, leave the company.
Just my $.02...
No, they don't have the right...no more than your landlord has a right to randomly enter your apartment and check your wife's underwear drawer for drugs...its like a rent agreement.
Not exactly. A lot of companies are like mine: they make you sign a form stating that you understand the rules of the company and agree to abide by them. At where I work, it specifically states that the company owns the PC's and everything on them, which isn't the case in something like an apartment rent agreement. Therefore, they do have the right to be searching them...
Personally, I think the mail should be monitored (not actually read), with reading only taking place when you have evidence of suspicious activity... but then, that's just my $.02.
Privacy is definately still an issue. Users may not have the legal/contractual *right* to privacy, but I believe that common decency dictates that you shouldn't push into other peoples business without reason. :) Again, just my $.02...
I believe earlier posts stated the reason quite clearly: downloading porn on company time is a no-no. You're supposed to be working, not looking at pics.
As far as I know, technically, in the eyes of the court, they are right. In the eyes of what is practical and ethical, I'm not so sure. I don't think explaining to them why doing this would be "wrong" would help any, nor trying to explain the importance of privacy. However you could explain why doing this is opening a BIG can of worms.
First, you should find out what's really getting their attenion. Are the users taking up to much storage? Are the users running porn sites and making money on company resources? Are the users just simply wasting time, instead of working? Was there evidence or rumors of a pervert going around? With all of these examples, there are resonable ways to draft policies that keep people on a leash, but don't violate privacy. Such as make it a company policy that users only get so much storage. You don't have to enforce it, but when the time comes, you have a policy to back you up.
Second, you should explain the ramifications of doing this. Tell them you will seriously consider leaving. In some parts of the world, they can't get any computer help and suddenly, this action won't be an option.
Third, You should also explain the significant effect this will have on morale. People will be pissed, people that will very quickly find work arounds to go outside the system.
The fouth reason not to do this is to keep lawyers unemployed. If they do this, it may be very likely people will leave the company. Those people may also try and sue the company. They may not win, but they may cost the company $500,000 - and that can hurt.
The fifth reason is that, if they open this can of worms (especially w/o notice), they then become liable for all of the content on the network. In other words, if you were to censor this time, you can leagally be expected to censor all of the data on the network. For example, lets say their upset b/c Joe Bob is archiving alt.sick-sex.pictures. They make you break in and catching him, and they fire him for wasting company resources. Later on, after Joe Bob has been forgoten, Jim Bob is archiving alt.sicker-sex.pictures. FBI finds out what Jim Bob is doing, busts him and takes the companies equipment for five years (nothing you can do about that). However, someone's son/daughter was caused irreprable harm from Jim Bob's actions and files a civil suit against him. The lawyers will also name the the company in the suit, (b/c Jim Bob can't pay a lawyers salary off of what he makes in federal prison) saying the company had a history of stoping porn, but did not act in this case. This may seem far fetched, but things similar to this have happened. The parents may not win either, but they will cost the company millions.
Given the greedy nature of companies, I think a good delivery of the final reason will work. However, don't forget, you can refuse, quit, and go work somewhere else making twice as much b/c you'll be able to sleep at night and do more during the day.
Democrats and Republicans only disagree about how to enslave you
I tell everyone at the office to treat their e-mail account the same as they would the company's letterhead stationery.
If you look at some of the recent cases/settlements on wall street, there may be other issues in play, such as sexual harassment. The problem may not just be the use of company time by someone getting their jollies. The distribution of the e-mail with the porn attached and the content of the mail message may be a big problem.
I don't buy the assertation that the company owns the email that an employee recieves. The company is not providing any compensation to the SENDER in exchange for the email messages being sent. Wouldn't copyright law make all email messages copyrighted by the sender? If the sender did not work for the company, how can the company claim their property without compensation?
How about if the SENDER doesn't even own what was sent. Say someone sends me a web page off USA Today? Does the company own that? Certainly, USA Today would have a copyright on that material.
If it is true that the company owns any email an employee recieves, that would mean I could create a small company with that policy, get someone to email me the linux kernal, and then start charging Red Hat for every CD they sold. That does not make a lot of sense.
The company may own the computers, but that does NOT mean that they own the INFORMATION on them.
A quick at software liscensing should convince anyone that just because something is on a company computer doesn't mean the company ownes it. Most software is not owned by the company at all. The company owns a LISCENSE to use it on one computer.
Besides this, the SENDER was not notified in advance of this particular company's policies, and the employee gets penalized for actions outside of their control. Here's another example, I get your email address off of your business card. I send you some jokes about pro-lifers. The email filter at your company gets triggered, and a notice that you are pro-abortion goes to someone in HR. The HR person is pro-life and sets off on a crusade to ruin your life. I realize that this probably is not very likely for you in particular, but what I am trying to illustrate is that you could be targeted for something that you do not necessarily agree with.
Comparing this to a cell phone would be like saying that my cell phone company would listen to every phone call I make, record it and send it to the NSA if I said the word kill or president. This is not a situation I would support.
I have an expectation of privacy when I encrypt something, or when I use a land phone line.
All encryption can be broken and land lines can be tapped easily. Even faces to face conversations can be easily be monitored. Does that make anyone who expects privacy for their encrypted messages, landline conversations, and face to face conversations an idiot? We can be monitored in almost an facet of our lives. From work to in our homes. The military has devices that can tell exactly were we are in our homes through 6 inch thick concrete. Camera's and microphones can easily be placed nearly anywhere. Does that make anyone with any expectation of privacy an idiot???
Also, get it in writing. Many organizations will back down if you make them spell it out. It will also help you if it lands in court. Good luck...
I know this will sound a little rash, but it would probably stop the flow of porn through the company email setup.
First, Warn everybody with an email that porn scans will be administered, and let them know the consequences will be harsh. Tell them that it is automated so no privacy advocates will get their panties in an uproar.
Second, you set up a script that will automaticly scan all incoming and outgoing emails. Have it note every image that passes through. Also, have it forward the image and the employee's email address to you.
Third, and finaly, whenever you recieve a porn image from this script, email every box with a porn gestapo (sp?) newsletter, telling everybody who is looking at porn, describing the porn that they are looking at, and re-enforcing the company policy against porn... After one or two incidents, you should have the problem virtually, if not completely eliminated.
That is how i'd do it, anyway.
In Japan they have cartoon child porn, how do they deal with that?
> So if a movie (with live actors) shows a woman being raped or a child (real child actor) being graphically killed, this is allowed because it is not harmful to children. But drawing pedophillic scenes involving people who never even existed is
somehow ok. I'm confused. Why is a ficticious portrayal of one crime againse a child acceptable to the public but not another, esp when the latter doesn't even involve children in any way?
Maybe because the way many Japanese artists render their characters, it's hard to tell wether they're children or adults? (See http://www.win.or.jp/~juan/index_E.html for an example.)
Or maybe because cartoons are just "uncool".
Can the company really do anything in regards to the content of inbound email ? Is the user liable for the contents of inbound email or only the stuff they send out ?
Brought to you by the author of such childrens' classics as "Some Kittens can Fly!" and "All Dogs go to Hell."
Well, any company is of course free to search anything they want on their network -- if nothing else, just to optimize performance.
However, any company that tried to completely ban private thinking (or communication) in the workplace would see me quitting on the spot. I do a lot of company thinking on "my own" time, and quite some private thinking on "corporate" time, and the employers that don't understand that the line between "corporate time" and "private time" has become heavily blurred over the last 10 years simply don't deserve me working for them.
I wouldn't have trouble with sysadmins scanning my mail, but if he/she can't cope with what he/she reads, it's his/her problem. And any type of content or communication being banned would just make me quit on the spot. I'm their asset, not the other way around.
I'd recommend taking some time to do some serious explaining to HR and then blankly refusing (I'd do it even at the cost of my job, I can get a new one in no time, they can't get a new employee without heavy investments).
If I were you I'd tell your boss about security violations and the possibility of industry sabotage using secret information transmitted by email.
Then, when they're scared and about as paranoid as we are, you can tell them that there is a solution: PGP!
10-4, JoLo.
I'm pretty sure i recently heard an EEC ruling that Employees email is private, under the European Bill of Human Rights... of course, the US has different ideas on whether privacy issues..
Iain
I work security and do this on a regular basis, with the belief that
"Only those who risk going too farr can possibly find out how far one can go" - T. S. Eliot
I am a consultant and engineer by degree. My primary consulting focus is e-mail systems and Internet connections for large corporations. I was a node on the Internet in 1986 and have worked primarily for engineering and manufacturing companies.
No client has ever directed me to start a witch hunt. Never. I have worked with HR and MIS groups to develop and publish a clear, written policy for e-mail and Internet use.
If you have had to manage the volume of e-mail and HTTP traffic at some large corporations you would appreciate the problem. 1000+ users can generate something like 40K-50K of messages per day. Combined with HTTP traffic you can have gigabytes of data passing through your firewall and e-mail server(s).
Unless you limit the size of incoming and outgoing messages, they often exceed 5-6 Meg. My clients spend big bucks on storage and network hardware and software (and consulting) to keep these systems running 7x24. Putting e-mail and HTTP policies in place is self-defence more than anything else (legal and technical).
As an e-mail Postmaster, I treat e-mail the same way one would treat First Class US Mail. However, when e-mail bounces, I read enough to determine where it should go and attempt to forward (or automate the process). I have encountered 5+ Meg porn video files on more than one occasion. How do you handle this? I don't 'rat out' users, but press the company to establish a policy if none exists, or re-state the policy for users so its very clear what the consequences are.
This month a Major Financial Institution (bank) on the east coast fired staff for forwarding pictures and 'dirty jokes'. They had a written policy, they informed the staff (repeatedly), yet through sheer volume of mail and network traffic it became a problem then needed to address. Several people were fired. One of the people fired admitted he screwed up, acknowledged that they were aware of the policy, chose to ignore it and recognized the consequences.
Does it take firing people for a company to establish that they are serious about a published (and promoted) e-mail and HTTP policy?
I really don't know, but when training and consulting try to balance personal rights with technical responsibility.
Here's the thing I see with this - they want you to scan e-mail for pornography, which I am assuming refers to images.
Now, my question for everybody is: How much pornographic stuff is trafficked via e-mail? Most of it is web related. (You're free image mailed to you weekly is just a link to a web page).
Now, I can see the occasional pornographic joke images, but I really think these are in the minority, and most people I know don't keep them in their mailbox - they delete them after looking, laughing and forwarding - or they save them to their workstation so the mailbox doesn't get full.
My advise is to get it documented, then run it. There won't be many hits, if at all. I can see them not wanting to advertise the fact that checks are going to be made, hoping to catch as many people as they can, but pass word along to your buddies, who in turn will pass it along.
My 2 cents worth.
-NYFreddie
Barbie of Borg - She doesn't just Assimilate, She Accessorizes too!
Some businesses are required, by law, to have email reviewed. Specifically, stock brokerages can not accept buy or sell orders over email, can't publish certain types of recommendations electronically, etc. To insure this doesn't happen mail to and from brokers has to be monitored by the Compliance dept of the brokerage. Also all of that mail must be archived for three years. We have the SEC to thank for that. We are implementing a system to do this now, and yes HR is pushing to be able to scan mail for violations of the policy. We (IS) are not involved in anything more than insuring the technology of the system works. You should limit yourself to that as well. Ken
Get what they want in writing. This accomplishes two things: 1. Covers your tail in case of any bad legal goo, 2. Chances are they will not be particularly explicit about what they want you to do (they're HR people and probably don't know alot about the systems). Thus it will be up to your discretion as to how intrusive, or more importantly, unintrusive you are.
And if possible, make a martyr out of that guy who has a complaint every 5 minutes!
Ah HAH! You gave yourself away, Coward. "tell my boss that he needs to up my pay, for doing a task that is distasteful" pretty much nails you as someone who would surrender privacy because of personal feeling about porn.
Just because business has managed to manipulate our rights up to this point (in separating personal life from work) doesn't mean it is justified. If employers would make the workplace a more friendly atmosphere, there would be fewer problems. Workers should be judged on their productivity, not what they do during downtime.
Let's all look at this from another perspective. Ignore the bandwidth problem; there are ways around that. And assume that most people are smart enought to not view porn at work.
So, the employer gives you space to work in, right? A cubicle, or at least a desk. Some supplies. However, we do bring personal items to enhance the work atmosphere, don't we? We put these on the desk, wall, and in drawers, e.g. in the employers space. Do these items then become the property of the employer? NO! Why, then, does a file or an email become the property of the employer just because they exist in the employer's server?
IT'S THE SAME DAMN THING!!!
Also I suspect though I haven't verified that the supervisor has been getting into our Supernews.com accounts to find out which newsgroups we read. He and his sidekick like to drop hints about that kind of stuff. They relate phoney personal experiences to see if I/we have comments, etc. and later have no recollection of those experiences, etc. Time to get a new job, eh?
So these guys are serious creeps, and of course they're high school flunkies with no University degrees, and they're loved by the company for their Nazi-like submission to authority (it's corporate), but what can I say? You can only complain so much. In the end, this is the Information age, and with it come certain risks. You've got to avoid them. Practice safe computing. It's a job, not your life. If you want a real job, start your own company.
Look at it this way: If you're in a restaurant and some jerk is sitting next to you, you either leave or you move -- but you avoid him. If you're at a company and some higher up jerk is investigating you, you either leave or you avoid him (or her). Don't let your guard down ever, because that kind of person will try relentlessly to get you to do just that.
To address the idea which is the title of this response, if there are people who are ignorant that there are wolves in the henhouse, then consider it your duty as a person of good will to warn them that they are at risk. And if you're not a person of good will, then you're one of Them.
I work as a senior sysadmin at First Union. I mention the company because we made the news recently for firing 7 employees for passing around porno via Lotus Notes. We had to take a backup tape and set it to never expire, and it's now currently locked in a vault in our legal department. We did not find it, it was found by one of the Notes admins, who ran a usage test, and found users whose disk usage was way outta scale.
Personally, I think you gotta be pretty stupid to do that at work. Get a cheap ISP connection, and pass around anything, but not at work. It's not worth losing your job over it.
timbo
timbo
Maybe so, but if a company creates a work envorinment where they feel watched all the time and that the slighest wrong movee will bring an axe down on them, their efficiency and productivity will suffer. Quality of work will drop. Losses to the company from reduced productivity may hurt the company more than if they just turn a blind eye to employees web surfing. So long as employees are doing their jobs, let 'em be happy. Happy workers are productive workers. As long as they're not hurting each other (sexual harassment) or hurting the company excessively (downloading 50GB of porn per day), just ignore minor transgressions. They're harmless. No one wants to work for Big Brother and forever live in fear of the wrath of Management.
That said, the company most likely owns the mail server and the computer that you type mail from, as well as the email address you have at work. While the medium on which this goes out is public and cannot be scanned, there is nothing wrong with the company caring about how their server and email addresses are being used. (and as pointed out, this strictly has to be on outgoing mail; Any malicious person can easily send a porn ad to your work email without your consent. Additionally, Melissa-like email viruses must be taken into consideration as well, as too many companies are Outlook Express and Office people).
So if you are working for MegaCorp.com, they have every right to scan the mail on mail.megacorp.com for problematic ones. Not only is that their company policy, but if underpaid_worker@megacorp.com starts spamming bgates@microsoft.com with porn, MegaCorp's reputation can also be tarnished.
The problem is how they approach this. Porn in the workplace is a bad thing to begin with (Shades of Clarence Thomas here), and email is no exception; not only is in inappropriate, but it can lead to sexual harassment suits (In the past, I've seen a coworker talk rather vulgar and get bad glares from other workers, and that person was then talked to behind closed doors). Additionally, that email address is provided by your place of work for work-related purposes; unless you work for a porn place, porn is not work related, much less numbers of mailing lists and such. Many places are lax on that only because all work and no play == low productivity.
However, if the place of work started to demand access to your aol.com account that you paid for, sue the heck out of them.
Anyone that is intelligent enough, IMO, would have a mail account that is for more private things, whether personal communications between friends or porn or whatever, and would only access that from home.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
Since that doesn't seem like it's the case where you are, SAGE's Code of Ethics for sysadmins might be personally helpful, at least.
--
This seems a common thread in censorship debates. *Everyone* even the censors agrees that censorship is wrong but, the objection goes, we should censor with the truly eggregious(sp?) offender. Right now that eggregious offender (for those with a more lazie fare approach) is child porn.
But by saying it is okay to censor something, even as bad as child porn, we have allowed an infrastructure to be built which lets us watch people and prosecute them for their communications. Just as in the classic slippery slope argument once anyone who looks at child porn goes in jail who will object when they push the line up to 'anal sex with an under 21 year old.' Each step is allowed because who wants to be identified with the small percent who watches 18 year olds get ass fucked?
Secondly while child porn is a bad thing such a massive invasion of our rights to communicate should, like any law, only be enacted if it prevents the violations of others rights? Does the child porn law really do this or only make us feel good about a subject we would rather not think about?
Does the fact that it is illegal to distribute child porn mean that more porn is made b/c the distribution is so difficult? Does the fact that he can't download any child porn off the net to jerk off to mean that your neighbor will molest your boy looking for his high?
Maybe if we only banned commercialization of child porn images less children would be molested. If they themselves weren't going to be thrown in jail we might have more informants on who is doing that actual abusing.
It is possible that the child porn laws and restrictions are a good thing despite their danger to our freedoms (worth the risk). However, the knee-jerk reaction to censor the material without even stoping to think about it is one of the worst reactions imaginable.
Marriage is the "pseudo-ethics" that cloaks the messy truth of sexuality in the raiment of propriety -- it's "Don't Ask,
Just send a warning to everybody fist. I know, send everyone a mail, something like "please clear out anything private of pornographic or political or ... scanning starts next week". That kinda thing. Now you'r in the clear on both your asses.
Simple eh?
LINUX stands for: Linux Inux Nux Ux X
FRA: STFU GTFO
The results of this scan should only be seen by a few authorized managers (not even you/me, if possible).
That covers me ethically. The authorized managers, if ethical (and good managers), will make rational and intelligent management decisons on how to act on the results.
My suggestions here: If the offending material is not illegal (not child porn or whatever might be illegal in your municipality) then the offender should be reprimanded privately. If it is illegal, well ...ethics is a tough subject matter ..you're on your own. It is important that all offenders are treated equally though.
Granted, about the drug testing point.
However, in my opinion, there is no justification for drug testing if an employee isn't employed doing anything that could endanger someone else's life.
I would excuse drug testing if an employee shows impairment on the job. In that case, firing them is justified. This would include alcohol.
Once upon a time, them and they were not specifically plural. Why not make them the gender-neutral pronouns? People do it everyday by accident, why not just make it the rule?
At the very least, everyone will understand what you're saying. Nobody should get offended, except for some grammar bigots out there that have close-minded views on the modern evolution of language.
--Joe--
Program Intellivision!
Absolutely. And as a security enforcement method, set up an automated script that will notify the 'perp' that they've been spotted. Notify ONLY the perp, and just log the event - until/unless it's gross and repeated misconduct.
However - this is a sure way to get fired, since everyone is equal, except for those in management, who are MORE equal. Rub the people in power the wrong way, and you'll end up with no reference from this job.
-- What you do today will cost you a day of your life.
A company may not be able to monitor the content of a phone call (legally), but the frequency, type and duration of phone calls are fair game. Especially if you're on a PBX, making lots of long long-distance calls. Major no-no, and one that it is reasonable to get fired for.
/., well, that's just a company I don't want to contribute effort to in the first place. I'll take my skills elsewhere.
However, we need to keep in mind the psychological side of authoritarian monitoring. Employees, like teenagers and political dissidents, will rebel against oppressive authority. If they feel trusted, and able to lead comfortable lives, they will produce. If they feel stiffled, they will spend a disproportionate amount of time figuring out ways to thwart their restrictions.
In my company, there is a monitoring disclaimer pinned to every billboard (by every entrance) that states that monitoring is thorough and logged in the event of a tresspass. We do not have Echelon in place, since it would take a large department to pore over the data each day. But, my phone call frequency and durations are logged, my web browsing habits are logged, my entry (via keyed access card) is logged. Perhaps a log is kept of the programs I run during the course of my day...
Or maybe it isn't - maybe this is just the panopticon approach to security. Maybe they cfreate the illusion of mopnitoring to curb people's behavior. I don't know if it works, but I know it does not work on me. I'm typing this from work.
If I get fired for reading
-- What you do today will cost you a day of your life.
I used to supervise a staff of sysadmins on a government contract for the FBI. While it was my first job with that responsibility (I had to make things up as I went along), I encountered a similar issue when I caught one of my sysadmins reading other people's mail since he had the technical ability to do so.
The way I look at this is that a system administrator has a professional responsibility to to insure the integrity of the systems under his control. This means doing backups, deleting growing log files, installing security patches, and not prying into the private files of others. While it is true that the company owns the computers and the data, you have a professional responsibility to protect the data on the system.
You should politely inform Human Resources that while you have the technical means to perform such monitoring, it would be unethical to do so since you would be risking the integity of the system.
Your monitoring might pry into sensitive company matters, personnel issues, business plans, customer lists, accounting information, and other data you have the responsibility to protect.
I feel that like doctors, lawyers, and clergy, we have the duty to keep things private and to protect data.
--
Howard Roark, Architect
Howard Roark, Architect
I believe in a Man's right to exist for his own sake.
What?
This is a strange issue. Just saying it's about restricting free speech, cracking down on child pron, outlawing bong-making, or identifying anarchism is limiting the issue. What is at stake here? The ability to have FREE speech. Should we be restricted if we are on someone else's property or using their property to perform the act of "free speech"? Lawmakers seem to think so.... Corporate "suits" seem to think so as well. The general populace (citizens of the U.S.) seem to agree.
Look back a few decades. This is what states, schools, orphanages, mental hospitals, and other institutions thought about their property. For the most part, that has changed. Should corporations be exempt from free speech issues? Should corporations have more rights than the individual?
Forget email. You'll find stupid chain letters and such, but not much porn. If you want to find porn, scan the web browser disk caches. Just write a script that cycles through all the jpeg images larger than 10K. You'll find lots of junk that way, and you can probably determine exactly when it was last viewed. You'll also be able to distinguish between someone who bumped into a porn site by mistyping a URL (e.g., xfree.com instead of xfree.org) and someone who spends a good part of their day hitting porn sites.
Of course, it's easier to configure the firewall to log all connections, and then crossreference with a list of known porn sites.
Of course, if they insist on scanning email, be sure to point out that you should set up filters to check for porn access via gopher.
At IBM, they monitor everything you get, every site you visit and if you go porn surfing then they fire you. They tell this to everyone but still there are people that violate this policy. They are a little bit looser with e-mail restrictions but they are pretty tight too.
IMHO, it's the company's e-mail account, network etc. you are paid to work, but at the very least not to mess around with objectionable material that could potentially hold the company liable for if the wrong person gets some dirty e-mail. Don't think that e-mail privacy is your right at work because it's not. If you want privacy go get a hotmail account...:)
Whoever posted Vidi vici veni is genius...
to do it. that way you don't have to actually scan each and every piece of email yourself. YOU won't be violating anybody's privacy (your script will, but no human eye sees the non-guilty mail) except for those who are violating company policy.
then have the script mail the postmaster (if that isn't you) a copy of the offending mail, and they can bring it up to management.
perl is cool.
der dee der.
Are you directly assigned to HR?
:-)
If not see what you boss thinks of this (assuming
he is not an idiot).
Tell them you bussy and don't have time for witch
hunts. If they keep bothering you (and they are
a bother) stall.
If all else fails find an old line printer and
print out the contents of every mailbox and tell
them you don't have time to go through it all.
So they can.
I wonder if they read MIME
"The last thing I want to do is deal with a bunch of people who want something."
Major Major
Yea, and hopefully once the floor finds this out the intelligent ones will be looking for a new job. Definate way to see to it that your job is "Done". But as you oviously have had experience doing this and kept the people, I'm very sorry you work at a company with such unspirited individuals.
I'm willing to bet you know about those employees who waist their time on porn from personal experiences with them/complaints you hear from other employees. My point is that usually it does not take a packet sniffer to find out when your employees are waisting their time at porn. I know in my office there is atleast one person who does this. But the management already knows about it, and realizes that if they choose to do something about it, it doesn't require invasion of their privacy to fire them for such acts. (and they don't want to add another stess level to me by forcing me to impliment such a system)
we've got some pretty vindictive folks around here. That being said I LOVE the idea of busting the people who make the rules first, even if it is a set up. Of course this would be as unethical in my mind as monitoring what people consider their private correspondence, but if you're willing to do that I don't see subscribing them to lists as any less ethical (poetic justice, if you will)
+&x
I had to deal with a slightly different matter, but also related to the privacy of e-mail in a corporate environment. Here's how I handled it.
#1 tends to work very well. People tend to be afraid of getting called on the carpet later about privacy issues when word leaks out. Just make sure that when work leaks out that you have your personal butt covered.
I think that I would ask HR to first distribute a reminder to the effect that ofice email is not private and that porn is not an acceptable use of company computing resources. Personally, this would help me feel better about this sort of privacy violation as I am of the same persuaion as you: I know that companies can legally do it but I question the ethics involved. It also removes the feel of snooping that reeks of poor management. I believe in the value of monitoring at-work behavior, however, I feel that to do so secretly is not acceptable.
--If we added up all of the 2 cents that Slashdot readers gave, I wonder how much sense vs. cents wed have.
joey
+-------+ between the wish and the thing lies the world - All the Pretty Horses
While I agree that US companies have the right to perform such scans, unless privacy has been explicitly granted to employees, I would ask my boss for clarification of a pertinent question first.
What do they hope to achieve with this action?
As others have pointed out, individuals can *not* control what others send to them. Finding porn in an inbound mail box legally says absolutely nothing about the character or behavior of that person, and taking adverse action on the basis of it would almost certainly expose the company to legal action. (Consider an analogy to firing any employee who has a flyer under his windshield wiper while parked in a public lot!)
Depending upon how tightly your system is managed, even scanning user directories for pornography and taking subsequent actions can be legally risky. Did the individual download the file himself, or was he set up by an enemy within the company? If it's the latter, if the company takes adverse action it would appear they could be sued for wrongful termination, deflamation, slander and libel!
My advice is to either forget about scanning incoming mail, or simply filter all out such images. You can scan home directories for image files, but mail the user first with a reminder of your company policy regarding indecent material. Only take official notice if someone ignores the notice.
I know the HR department needs to be sensitive to sexual harassment issues in the workplace, but they also need to balance that with the very real penalties that are attached to overreacting. The classic cautionary tale is the individual fired for sexual harassment after repeating a storyline from Seinfeld ("Dolores!"). As I recall, he won a multi-million dollar judgement for wrongful termination.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Before you get on your high moral hobby horse, remember that some industries *require* logging and reviewing all email and all other communications. Any stock broker, for instance, since it's required *by the industry itself* to ensure brokers aren't making statements they can't back up. (E.g., buy Microsoft, it's *guaranteed* to double again by April 2000 when W2K knocks Unix off of all servers!)
Even if the industry doesn't require monitoring, a company may be required to perform such monitoring by legal action which you're not aware of. E.g., the original poster's company may have been hit with a million dollar sexual harassment suit and the lawyers asked for information about what's in mailboxes as part of a discovery motion. If you, and all other sysadmins "with a backbone" refuse, your company can't comply with the court order and could face dire consequences.
Does this mean that a sysadmim should roll over and do whatever his boss asks, without question? Of course not. But part of knowing what it means to say "no" is understanding what it means to say "yes" -- and I've just listed two situations where no reasonable person can refuse to comply with the order.
Finally, don't assume you can always quit. If you refuse a reasonable order and "quit," your employer can still say you were "fired, for cause (insubordination and dereliction of duty)." If the objectionable order came from a single panicked HR person, the latter characterization couldn't stand much heat. If the objectionable order came from a court order, you better pray that your future employers never check with your previous employers.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Duh, in the US an employer can't scan through an employee's PERSONAL snail- or e-mail at will.
However the law presumes that the employee receives his personal mail (of all kinds) at home. Anything that the employee receives at work is presumed to be work related unless the company has formally stated otherwise.
This sounds like a minor point, but it's not. Less than a hundred years ago employers routinely monitored employee's activities (e.g., Ford Motor Company in the early part of this century was especially notorious), and they wouldn't have thought twice about firing an employee for receiving mail *at home* from an "undesirable" party. Today an employee has an extremely high expectation of privacy *at home*.
Let's keep this problem in perspective, okay?! How many people really, really need to send and receive personal e-mail from work instead of waiting until they go home (or go to a cybercafe at lunch)? How many people really, really need to download pornography at work?
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Common carrier status has nothing to do with it. CC status primarily protects the phone company, e.g., you can't name Ma Bell as a co-conspirator even if the murder is discussed over the phone. It only affects the public in that CC status requires service be offered to the public at a fixed, published tariff.
The right to monitor (record) the phone goes with whoever pays the bill. At home, you pay so you decide whether to tap yourself. At work, your employer pays and *they* decide whether to tap their own lines. If you want to make a private call, go use the public phone on the corner. (N.B., *you* pay for that pay phone call.) The presence of a PBX system is totally irrelevant.
Finally, the recordings several other people have mentioned is a courtesy (in most states and all interstate calls) to the *caller*, not to the employee.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Why do you assume the problem was an isolated incident?
Some people spend a *lot* of time looking at non-work related sites. Glancing at CNN every couple hours is one thing (e.g., I'm sure many parents with children trapped within Columbine first learned of the situation from the web), spending hours poring over the Sports Illustrated or E-Trade sites is another. When productivity suffers, management has to pay attention.
Focusing on porn alone, it's one thing for an accidental porn redirection (e.g., "whitehouse" expanded to "www.whitehouse.com", a porn site) or deliberate viewing after hours and/or in a office with a closed door. It's another thing to leave the material up in plain sight during working hours.
We simply don't know enough about the original situation to evaluate whether it's a reasonable request. Was this a knee-jerk reaction from an HR employee who saw a bit of shock-TV on the _700 Club_? Was it a reaction to a substantial article in an HR journal? Was it a reaction to a formal complaint about sexual harassment due to a "hostile workplace environment?"
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
This is a management issue, not a technical one. You are a technician, not a manager.
I'm confused, this seriously undermines the rest of your argument. Technicians follow orders, they don't debate them and they certainly don't refuse to do them.
As an example, consider a technician at a Grease Monkey. What do you think would happen if he quietly refused to change the oil in a customer's car? Do you think his boss would simply ask the next one, or would they immediately fire his sorry ass? Do you think any future employer would care why he refused to change the oil?
I think sysadmins fall into a grey area between management and technicians. They aren't management, but management should listen to them when developing policies. If this objectionable policy already existed and was published, and the sysadmin didn't bother to complain about it before, then they'll get little sympathy if they object when it is time to actually enforce it. If this policy is new (or ad hoc) and management refuses to listen to their concerns, then quiting is much more defensible.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
Oh please.. The solution is simple, fake mail from inside the Human Resources department a few porn messages and hand them over to your superviser.. When nothing happens about it, make a stink saying that "You asked me to find the trueth and you have exploited your position in supressing this information".. Go on campains around the office stating how there are one rule for the human resources department and one rule for everyone else. Get a few innocent people fired and they will go ape shit and destroy the email scanning practices of the human resources department, probably with large court cases and grotesque amounts of money. The best thing about being a bastard operator from hell is that, after the initial fraud, you get to take the moral high ground and demand equality and privacy at the same time as delivering evidence of immoral behaviour.
These are not all my words I must say, I was majorly influenced by the BOFH expert in my office. Thanks Dave.
How we know is more important than what we know.
Oh well, I'm french, live in France, but think that France is a very nice place to live in, but NOT a nice country with respect to privacy. A few examples: a friend of mine works in a big bank and he told me not to send any bullshit in my email because they were all scanned.
Also, what about the 5000 illegal tappings performed by former president Mitterand himself?
And what about the recent discovery that Paris mayor Tiberi allegedly installed microphones in the offices of all his political opponents?
Why do you think that France waited so long before allowing strong encryption? Well, they waited until the economic loss due lack of encryption would be significant with respect to the fact that communications can't be tapped anymore.
Do you work in a lousy cubicle where you have no real work but have to tap the keys and pretend to be busy? Do you have a clueless boss who only tries to "keep you busy" but who doesn't (and can't) understand what you do?
Obviously, you need to do things to entertain yourself in a stealthy, yet entertaining manner.
What are the best techniques to fight back? (Add your hints, tips, and critiques).
1) A good monitor angle.
This is the best tactic against physical offensive maneuvers from management. The best angle is one which lets you see if someone is coming near you, but which obsures their view of your screen.
2) telnet.
Most places don't bother to monitor telnet. I was at a place that scanned web/e-mail. The first thing I did was login to my ISP's shell account. Once in telnet, I used lynx, irc, pine, etc. to spend the entire day in blissful entertainment. This is one of the best options left.
3) scripts - Really lousy employers count login times, keyboard hits, etc. Automate your work, or your work will make you an automaton.
4) Pre-emptive strikes.
If you have a manager who drops by too often, try going over to his cubicle to give an "update" before he comes by.
5) Easter eggs.
The one in Excel 95 has a DOOM like little game. Try playing it. fun for hours. Hit a key to go back to excel if someone comes by.
6) QBASIC/text based games.
All the usual games are too obtrusive and catch attention. Play a mud, do something in text mode.
Hmmm, that's all I can think of, and the Simpsons are on. Folks, add your own ideas.
Thx.
L.
PS - Oh, one more. Use rubber bands, binder clips, etc. to make funny, innovative devices.
I think that there is a Law in France that forbids the employer to scan through personal mail be it snail- or e-mail.
If they do, they cannot use it as a proof for misconduct, they will be illegal and liable of Privacy Invasion and can be sued.
So come to France All!!!
If you're valued enough, and good enough at your job this is not a problem. SAGE (SysAdmin Guild), IIRC, has some articles on this and what it boils down to is: nobody is forcing you to do anything. Refusal to do this is defensible. This is a management issue, not a technical one. You are a technician, not a manager.
Don't preach, don't condescend, and don't moralize. Simply and quietly refuse to do it. By not making a big stink about it you cost no-one any face. The first, second or third sysadmin that refuses to do this will make them reconsider, and not even bring the topic up in the future. Sing the company song and in every other way be a team player, just quietly refuse to do this one thing.
PS: Make very sure your own house is clean before you attempt this. If they do find anything remotely questionable in your mailbox, you'll be out in a heartbeat--with good reason.
Get off my lawn.
Pornography is not a big time waister, a couple of peeks to make a employees day better is likely to help both him and the company in the long run. Plus people work faster and better if they can releave some sexual tension every now and then.
If your company has anybody remotely techie you should start checking for slashdot instead. It takes lots of time, but gives very little sexual pleasure (sorry people
The world needs to grow up...
-
The above act is Public Law 99-508. You can find more information at http://thomas.loc.gov/. The relevant portion of the abstract reads:
"Amends the Federal criminal code to extend the prohibition against the unauthorized interception of communications to specified types of electronic communications. Prohibits unauthorized access to an electronic communications system in order to obtain or alter information contained in such system."
If anything, you could take the position that intercepting e-mail would violate the above act. It might at least buy you some time while your employer grumbles about lawyers.
This message has been scanned for memes and dangerous content by MindScanner, and is believed to be unclean.
I was in a dispute with one of the bosses, and we're an extremely small company and I had been writing my parents requesting help on an issue. After the day of this 'dispute' I have lost all trust for my employer and employers as a whole. My primary boss wrote me an e-mail that included a portion of an e-mail that I had sent to my dad. After I saw this, I felt rather violated.. not only did he get into my mail but he showed me that he did. Since then, other than losing the trust I had for him, I never use my work e-mail account anymore except for work purposes.
Regarding your issue, I think you should just do as you're told as far as "looking for porn" but if you find any, notify/warn the employees involved in a subtle manner while telling your employer that you didn't find anything... unless someone has excessive porn that you find bothersome and necessary to notify your employer....
I would have expected to see a question like this directed to one of the sysadmin guilds you're probably a member of (what, you're not?). If you were a member of SAGE, you would be aware of the SAGE Code of Ethics. SAGE-AU has an equivalent code.
In the SAGE code it mentions:
So, the bottom line: What do your organisation's policies allow?The usual path for this sort of stuff is to get the managers in question to publish a policy (even if it's something as crappy as voicemail to all employees warning them of the policy and the consequences of breaching it). It often helps to provide a draft policy to get them started down a reasonable path.
Then your tasks are clearly defined. Without a published policy you and your managers are walking in a minefield.
Keep in mind that the published codes are there to protect you as much as anyone else. If a manager tries to force you to act against your principles you have a recourse. As a member of a guild you can point to the published code of ethics and say "sorry, I cannot do that". "And neither will any other ethical sysadmin".
Whatever you do, get your instructions from management in writing.
Posted by polar_bear:
Unfortunately, legally the company has the right to do that - and I can't say that I think that anyone really has the RIGHT to be downloading porn on company time, either. If they ask to scan for something like content of email or something, that's fairly repulsive - but if they're asking to do a general scan for jpegs and whatnot, then simply ask that you're allowed to do a warning first, then scan a week later. If it's the first time that the company has tried to enforce a policy it wouldn't hurt to simply re-announce the policy and tell people to expect it to be enforced soon.
It's one thing for a company to check if you're downloading porn or something like that vs. a company saying anyone who's ever used company email for private use is going to be fired, or scanning content of email for comments about the boss or something.
Zonker
Yes, companies can legally snoop all they want on their employees. They can also demand that everyone piss in a bottle once per day while the company doctor watches, sing the company song, etc. But only people with no talent or valuable skills should go along with such policies. In case you haven't noticed, we are currently in a sellers' market for technical talent.
If you are a sysadmin at a company that demands that you snoop through peoples' mail, and you feel that this violates your ethics, don't go along, and, if necessary, leave. Explain to your employer that, while you agree that it is legal, you feel that it is unethical and you will not participate.
The only reasons companies can force you to put up with this crap is because too many employees don't have any backbone. The reason for respecting employees' privacy is because it is the right thing to do. Exceptions should be made for people who aren't getting the job done.
Just scan HR's mailboxes, and carefully. Heck, put them on some porn spam lists and allow them to see the folly of their ways.
demi
The problem with this theory is that corporations have more rights than people.
If you want privacy go get a hotmail account
And that's not private either (egregious security holes aside), since it's the corporation's data pipe, so watch what you say, Ashley.
This kind of slave attitude is responsible for a long slow slide back into feudalism. "Hey, Lord Bumsenfock is all that stands between you and the Tartars, and this is his land, so actually he does have the right to steal your food, kill your son, and deflower your daughter." There is no logic and no honor in this.
Between bootlicking nonsense and creationism, I'm terrified of how Americans are rushing back to the dark ages.
Expanding a vast wasteland since 1996.
Here's the deal: Phone calls cannot be monitored because the phone line is considered a "common carrier" and thus not the property of the company. E-mail and files on your PC, on the other hand, are company property, so they are legally allowed to be searched. Having said that, the crux of the matter is - because a company CAN do it, doesn't mean it SHOULD. Many companies can legally set up cameras in rest rooms. Some do so(there was even a law suit, I think), but for obvious reasons, this is a despicable practice. Similarly, your manager can legally open all your drawers after you leave work, and shuffle through your papers to see if you have a copy of Playboy in there. But how many of you would want to work in a place like that? The bigger issue is this - what exactly does a company achieve by resorting to petty monitoring, other than ruining its own culture and terrifying its employees? Just imagine the massive amount of HR resources spent on this. If someone uses their company time to browse porn, it falls under the category of "Obvious No -No Activity". A company does not install cameras in the restroom to see if its employees are jacking off there. Nor does it hire Cubicle Inspectors to walk around peering over shoulders every 5 minutes to see if someone is working (though clueless managers perform this function adequately) . We rely on common sense and mutual trust in the work place to deal with these things. I am not sure why porn is any different. Obviously we don't try to monitor people who keep playboy (the paper variety) in their drawer. History-repeats-itself Dept: An old article in InfoWorld has a programmer relating a story of the old days when printers started becoming commonplace. Combined with FORTRAN, programmers actually started writing programs to print naked women on a *dot matrix* printer. (One can only imagine how desperate they must - if you've seen a dot matrix printout.) Managers promptly had meetings to resolve the "printer/FORTRAN misuse" issue. Well, it may seem laughable now, but remember - whenever a new technology comes along, this happens. Those who "get it" embrace the potential and use it in powerful and innovative ways. Those who don't get it crack down on those who do. For obvious reasons, HR people belong to the latter category. I'm surprised a Microsoft employee is in there too. ;) BTW, "vidi vici veni" is an ancient quip, kinda like the "what is mind, doesn't matter...." joke. Oh, one more note about the phone vs. email privacy. In some states, phone lines with *extensions* can be monitored legally by the employer, since they claim the extension and PBX equipment, etc., is the property of the company. This is a grey area and there have been lawsuits about this. I believe voice mail is totally the property of the company, legally speaking. Ultimately, privacy in the work place is a cultural issue. Any company which deals with sensitivity towards the employees is doing the right thing. Any company which pisses off 10000 people to find the 1 person who looks at porn, probably is out of touch with the way the world is moving. BTW, what is the policy at companies like Microsoft, IBM, Sun, Yahoo, etc? L.
Sorry, I totally disagree, not with the fact that the company owns it (to dispute that is idiocy) but that they *should* or its *right* to spy on their employees.
I read an article yesterday from the WSJ about the practices of Herb Kelleher the wacko CEO from Southwest Airlines. When asked why his company did so well (26 straight years of profitability) he said basically because all of their employees bust their ass at work. Why? Because they love their job. Why? 'Cause they don't have to be stuck up or put up with too much stupid bullshit and are allowed to act like people not drones. Have you ever had someone sing you the safety procedures like Elvis? I did, on Southwest, flying into Memphis.
With the way businesses have to move these days (Service, service, service, it's too easy to change providers) having happy, well-adjusted, comfortable employees is beyond measure. Having scared, paranoid (because they receive a diry joke on e-mail, god forbid), and boring employees leads to that type of company.
Basically my point is that employees are there to get their work done, beyond that stay off their case.
All of this is a big reason why I chose to start my career outside of the corporate environment. I like being told and telling off-color jokes, 'cause they are just that much funnier.
(BTW the notebook example was much more accurate than your handkerchief one)
+&x