Ask Slashdot: Privacy in the Workplace

redactor asks: "I work as a sysadmin for a rather large corporation. The Human Resources department has gone on a witch-hunt, and wants me to start scanning user's email for porn. I know there have been some legal battles with this in the past. The company policy is that all data on company computers is property of the company, NOT the user, but I personally value privacy, and am refusing to do this unless it means loosing my job. How have other sysadmins been handling this?" Actually, since it's the office network, I really don't believe it's a voilation of privacy (unless said privacy was explicitly given...most workplaces don't make this guarantee).

A threatening atmosphere costs $ in productivity.

>If privacy is explicitly NOT given...then it is certainly within their realm to scan it.

Maybe so, but if a company creates a work envorinment where they feel watched all the time and that the slighest wrong movee will bring an axe down on them, their efficiency and productivity will suffer. Quality of work will drop. Losses to the company from reduced productivity may hurt the company more than if they just turn a blind eye to employees web surfing. So long as employees are doing their jobs, let 'em be happy. Happy workers are productive workers. As long as they're not hurting each other (sexual harassment) or hurting the company excessively (downloading 50GB of porn per day), just ignore minor transgressions. They're harmless. No one wants to work for Big Brother and forever live in fear of the wrath of Management.

Company Resources, so...

[Masem]

As mentioned before, someone noted that phone lines cannot be monitored as they are considered a common carrier. I would also suspect that this extends to the internet bandwidth that connects your computer to the net.

That said, the company most likely owns the mail server and the computer that you type mail from, as well as the email address you have at work. While the medium on which this goes out is public and cannot be scanned, there is nothing wrong with the company caring about how their server and email addresses are being used. (and as pointed out, this strictly has to be on outgoing mail; Any malicious person can easily send a porn ad to your work email without your consent. Additionally, Melissa-like email viruses must be taken into consideration as well, as too many companies are Outlook Express and Office people).

So if you are working for MegaCorp.com, they have every right to scan the mail on mail.megacorp.com for problematic ones. Not only is that their company policy, but if underpaid_worker@megacorp.com starts spamming bgates@microsoft.com with porn, MegaCorp's reputation can also be tarnished.

The problem is how they approach this. Porn in the workplace is a bad thing to begin with (Shades of Clarence Thomas here), and email is no exception; not only is in inappropriate, but it can lead to sexual harassment suits (In the past, I've seen a coworker talk rather vulgar and get bad glares from other workers, and that person was then talked to behind closed doors). Additionally, that email address is provided by your place of work for work-related purposes; unless you work for a porn place, porn is not work related, much less numbers of mailing lists and such. Many places are lax on that only because all work and no play == low productivity.

However, if the place of work started to demand access to your aol.com account that you paid for, sue the heck out of them.

Anyone that is intelligent enough, IMO, would have a mail account that is for more private things, whether personal communications between friends or porn or whatever, and would only access that from home.

Policy needed

[mattdm]

Companies need to develop a policy on this kind of thing. Although the current law may allow corporations wide latitude, you're opening yourself to all sorts of trouble otherwise. (Moral and morale trouble, if not legal.)

Since that doesn't seem like it's the case where you are, SAGE's Code of Ethics for sysadmins might be personally helpful, at least.

--

Are we moral sensors now?

[PG13]

This seems a common thread in censorship debates. *Everyone* even the censors agrees that censorship is wrong but, the objection goes, we should censor with the truly eggregious(sp?) offender. Right now that eggregious offender (for those with a more lazie fare approach) is child porn.

But by saying it is okay to censor something, even as bad as child porn, we have allowed an infrastructure to be built which lets us watch people and prosecute them for their communications. Just as in the classic slippery slope argument once anyone who looks at child porn goes in jail who will object when they push the line up to 'anal sex with an under 21 year old.' Each step is allowed because who wants to be identified with the small percent who watches 18 year olds get ass fucked?

Secondly while child porn is a bad thing such a massive invasion of our rights to communicate should, like any law, only be enacted if it prevents the violations of others rights? Does the child porn law really do this or only make us feel good about a subject we would rather not think about?

Does the fact that it is illegal to distribute child porn mean that more porn is made b/c the distribution is so difficult? Does the fact that he can't download any child porn off the net to jerk off to mean that your neighbor will molest your boy looking for his high?

Maybe if we only banned commercialization of child porn images less children would be molested. If they themselves weren't going to be thrown in jail we might have more informants on who is doing that actual abusing.

It is possible that the child porn laws and restrictions are a good thing despite their danger to our freedoms (worth the risk). However, the knee-jerk reaction to censor the material without even stoping to think about it is one of the worst reactions imaginable.

Re:Are we moral sensors now?

[rdemanow]

I agree with you, PG, that the government goes too far with the way the laws are written. It just so happens that it's easier for them to catch and prosecute someone with a picture of a 13 year old girl getting raped, than it is to catch and prosecute the actual rapist. The laws are written the way they are so that law enforcement can make itself *look* like it's doing it's job. Kinda like those cops who wait out by the freeway all day handing out speeding tickets, rather than going out and finding the people who are commiting more serious crimes like assault, robbery, and murder.

They also go too far in what they define as pornographic. Here, the government caters directly into the hands of the puritanical Christian zealots of the "Religious Right", and their "Moral Superiority (patent pending)". There's something seriously wrong with laws that criminalize the great artistry of people like Jock Sturges, Sally Mann, and Graham Ovenden. The way the laws are currently written, a court could interpret an image of Michelangelo's David as pornographic.

I also agree with all those who have expressed the opinion that employers should have the right to censor (yes, censor!) what appears on their networks and workstations. After all, the network, the hardware, the domain name, the IP addresses, the software, and the mail exchange servers all belong to the company. I think a company has as much right to monitor and control what their employees do on company equipent, and during the time they're being paid to work, as parents have to monitor and control what their children do and see (on TV, the 'net, who they hang out with, etc.).

It seems like common sense to me that when I'm at work, I do work, and when I'm on my own time I do whatever the hell I want.

I'm convinced that the primary reason that companies have these crackdowns on people looking at porn, or whatever, is that they're afraid that the government will hold the business criminally liable for letting their employees do it. That's another symptom of the way the laws are written. After all, a pornographic image mailed to me at my work email address resides on the company server, and is thus company property ... for which the company can be held criminally liable, the way the law currently reads.

As far as moral censorship goes ... IMNERHO, it belongs solely and completely with the individual. If you don't want to see porn, don't look at it. If you don't want your kids to see porn, teach them not to look at it. They probably will anyway, though, and you know what? There's not a thing anybody can do about it! (Just look at what criminalization has done to the drug scene.)

Anyway, I'll get down off my soapbox now and prepare to be flamed.

Just _warn_ everybody first!

[The+Creator]

Just send a warning to everybody fist. I know, send everyone a mail, something like "please clear out anything private of pornographic or political or ... scanning starts next week". That kinda thing. Now you'r in the clear on both your asses.
Simple eh?

LINUX stands for: Linux Inux Nux Ux X

If it were me...

[dav]

I would insist on first sending out a company-wide email which repeats the Computer Use Policy for your company and then blatantly states that the system will undergo periodic scans. Then wait a few days and perform the scan as requested.

The results of this scan should only be seen by a few authorized managers (not even you/me, if possible).

That covers me ethically. The authorized managers, if ethical (and good managers), will make rational and intelligent management decisons on how to act on the results.

My suggestions here: If the offending material is not illegal (not child porn or whatever might be illegal in your municipality) then the offender should be reprimanded privately. If it is illegal, well ...ethics is a tough subject matter ..you're on your own. It is important that all offenders are treated equally though.

Re:privacy advocacy

[edgy]

Granted, about the drug testing point.

However, in my opinion, there is no justification for drug testing if an employee isn't employed doing anything that could endanger someone else's life.

I would excuse drug testing if an employee shows impairment on the job. In that case, firing them is justified. This would include alcohol.

him/her --> them, he/she --> they

[Mr+Z]

Once upon a time, them and they were not specifically plural. Why not make them the gender-neutral pronouns? People do it everyday by accident, why not just make it the rule?

At the very least, everyone will understand what you're saying. Nobody should get offended, except for some grammar bigots out there that have close-minded views on the modern evolution of language.

--Joe
--

Re:Scan HR's mailboxes

[jabber]

Absolutely. And as a security enforcement method, set up an automated script that will notify the 'perp' that they've been spotted. Notify ONLY the perp, and just log the event - until/unless it's gross and repeated misconduct.

However - this is a sure way to get fired, since everyone is equal, except for those in management, who are MORE equal. Rub the people in power the wrong way, and you'll end up with no reference from this job.

Re:Phone calls vs. E-mail

[jabber]

A company may not be able to monitor the content of a phone call (legally), but the frequency, type and duration of phone calls are fair game. Especially if you're on a PBX, making lots of long long-distance calls. Major no-no, and one that it is reasonable to get fired for.

However, we need to keep in mind the psychological side of authoritarian monitoring. Employees, like teenagers and political dissidents, will rebel against oppressive authority. If they feel trusted, and able to lead comfortable lives, they will produce. If they feel stiffled, they will spend a disproportionate amount of time figuring out ways to thwart their restrictions.

In my company, there is a monitoring disclaimer pinned to every billboard (by every entrance) that states that monitoring is thorough and logged in the event of a tresspass. We do not have Echelon in place, since it would take a large department to pore over the data each day. But, my phone call frequency and durations are logged, my web browsing habits are logged, my entry (via keyed access card) is logged. Perhaps a log is kept of the programs I run during the course of my day...

Or maybe it isn't - maybe this is just the panopticon approach to security. Maybe they cfreate the illusion of mopnitoring to curb people's behavior. I don't know if it works, but I know it does not work on me. I'm typing this from work.

If I get fired for reading /., well, that's just a company I don't want to contribute effort to in the first place. I'll take my skills elsewhere.

Professional ethics

[Howard+Roark]

I used to supervise a staff of sysadmins on a government contract for the FBI. While it was my first job with that responsibility (I had to make things up as I went along), I encountered a similar issue when I caught one of my sysadmins reading other people's mail since he had the technical ability to do so.

The way I look at this is that a system administrator has a professional responsibility to to insure the integrity of the systems under his control. This means doing backups, deleting growing log files, installing security patches, and not prying into the private files of others. While it is true that the company owns the computers and the data, you have a professional responsibility to protect the data on the system.

You should politely inform Human Resources that while you have the technical means to perform such monitoring, it would be unethical to do so since you would be risking the integity of the system.

Your monitoring might pry into sensitive company matters, personnel issues, business plans, customer lists, accounting information, and other data you have the responsibility to protect.

I feel that like doctors, lawyers, and clergy, we have the duty to keep things private and to protect data.
--
Howard Roark, Architect

Re:Forget it...

[Peyna]

Is it possible to guarantee that those people won't get into trouble? Idealistically (and I think we all must agree that the entire linux "movement" is pretty idealistic, as well Americans as a whole (sorry for excluded everyone else, I don't know what your countries are like, so I don't want to include them unknowingly)) your plan would work great, but theoretically, I think that the only way to do it, if you feel that this is an invasion of privacy in the workplace, is that you should go up to those who told you to do it, and let them know that. If you value your job enough, and let them know it, I doubt they'll threaten your job with it. That, or demand that if they won't do it themselves, that you'll simply cover everything up. I think that'll make em think.

Corporate vs Individual Rights

[Photon+Ghoul]

This is a strange issue. Just saying it's about restricting free speech, cracking down on child pron, outlawing bong-making, or identifying anarchism is limiting the issue. What is at stake here? The ability to have FREE speech. Should we be restricted if we are on someone else's property or using their property to perform the act of "free speech"? Lawmakers seem to think so.... Corporate "suits" seem to think so as well. The general populace (citizens of the U.S.) seem to agree.

Look back a few decades. This is what states, schools, orphanages, mental hospitals, and other institutions thought about their property. For the most part, that has changed. Should corporations be exempt from free speech issues? Should corporations have more rights than the individual?

Scan web caches

[crow]

Forget email. You'll find stupid chain letters and such, but not much porn. If you want to find porn, scan the web browser disk caches. Just write a script that cycles through all the jpeg images larger than 10K. You'll find lots of junk that way, and you can probably determine exactly when it was last viewed. You'll also be able to distinguish between someone who bumped into a porn site by mistyping a URL (e.g., xfree.com instead of xfree.org) and someone who spends a good part of their day hitting porn sites.

Of course, it's easier to configure the firewall to log all connections, and then crossreference with a list of known porn sites.

Of course, if they insist on scanning email, be sure to point out that you should set up filters to check for porn access via gopher.

You don't have the privacy right (nor should you)

[AshleyB]

At IBM, they monitor everything you get, every site you visit and if you go porn surfing then they fire you. They tell this to everyone but still there are people that violate this policy. They are a little bit looser with e-mail restrictions but they are pretty tight too.

IMHO, it's the company's e-mail account, network etc. you are paid to work, but at the very least not to mess around with objectionable material that could potentially hold the company liable for if the wrong person gets some dirty e-mail. Don't think that e-mail privacy is your right at work because it's not. If you want privacy go get a hotmail account...:)

Whoever posted Vidi vici veni is genius...

write a script...

[nion]

to do it. that way you don't have to actually scan each and every piece of email yourself. YOU won't be violating anybody's privacy (your script will, but no human eye sees the non-guilty mail) except for those who are violating company policy.

then have the script mail the postmaster (if that isn't you) a copy of the offending mail, and they can bring it up to management.

perl is cool.

Do you work for HR?

[demigod]

Are you directly assigned to HR?

If not see what you boss thinks of this (assuming
he is not an idiot).

Tell them you bussy and don't have time for witch
hunts. If they keep bothering you (and they are
a bother) stall.

If all else fails find an old line printer and
print out the contents of every mailbox and tell
them you don't have time to go through it all.
So they can.

I wonder if they read MIME :-)

Re:What you should be looking for...

[MindStalker]

Yea, and hopefully once the floor finds this out the intelligent ones will be looking for a new job. Definate way to see to it that your job is "Done". But as you oviously have had experience doing this and kept the people, I'm very sorry you work at a company with such unspirited individuals.

Re:But what do you do?

[MindStalker]

I'm willing to bet you know about those employees who waist their time on porn from personal experiences with them/complaints you hear from other employees. My point is that usually it does not take a packet sniffer to find out when your employees are waisting their time at porn. I know in my office there is atleast one person who does this. But the management already knows about it, and realizes that if they choose to do something about it, it doesn't require invasion of their privacy to fire them for such acts. (and they don't want to add another stess level to me by forcing me to impliment such a system)

Jeez, and I thought BOFH was a joke

[Wah]

we've got some pretty vindictive folks around here. That being said I LOVE the idea of busting the people who make the rules first, even if it is a set up. Of course this would be as unethical in my mind as monitoring what people consider their private correspondence, but if you're willing to do that I don't see subscribing them to lists as any less ethical (poetic justice, if you will)

What to do

[ogren]

I had to deal with a slightly different matter, but also related to the privacy of e-mail in a corporate environment. Here's how I handled it.

1. Don't do anything without written instructions from the Head of HR and the Head of IT. Otherwise it will come back to haunt you. Besides it will usually make people back off. No one wants to be the one who's name is on the "snooping" order.
2. Politely say that you'll comply if you're given written instructions, but you don't agree with the decision.
3. Spread the word about what's going to happen a couple of days before it will happen. This will let everybody get any personal e-mails out of their mail stores, and will also allow the possibility of a grass roots revolt.

#1 tends to work very well. People tend to be afraid of getting called on the carpet later about privacy issues when word leaks out. Just make sure that when work leaks out that you have your personal butt covered.

Send out a reminder first.

[proboy256]

I think that I would ask HR to first distribute a reminder to the effect that ofice email is not private and that porn is not an acceptable use of company computing resources. Personally, this would help me feel better about this sort of privacy violation as I am of the same persuaion as you: I know that companies can legally do it but I question the ethics involved. It also removes the feel of snooping that reeks of poor management. I believe in the value of monitoring at-work behavior, however, I feel that to do so secretly is not acceptable.

--If we added up all of the 2 cents that Slashdot readers gave, I wonder how much sense vs. cents wed have.

joey

What do they hope to achieve?

[coyote-san]

While I agree that US companies have the right to perform such scans, unless privacy has been explicitly granted to employees, I would ask my boss for clarification of a pertinent question first.

What do they hope to achieve with this action?

As others have pointed out, individuals can *not* control what others send to them. Finding porn in an inbound mail box legally says absolutely nothing about the character or behavior of that person, and taking adverse action on the basis of it would almost certainly expose the company to legal action. (Consider an analogy to firing any employee who has a flyer under his windshield wiper while parked in a public lot!)

Depending upon how tightly your system is managed, even scanning user directories for pornography and taking subsequent actions can be legally risky. Did the individual download the file himself, or was he set up by an enemy within the company? If it's the latter, if the company takes adverse action it would appear they could be sued for wrongful termination, deflamation, slander and libel!

My advice is to either forget about scanning incoming mail, or simply filter all out such images. You can scan home directories for image files, but mail the user first with a reminder of your company policy regarding indecent material. Only take official notice if someone ignores the notice.

I know the HR department needs to be sensitive to sexual harassment issues in the workplace, but they also need to balance that with the very real penalties that are attached to overreacting. The classic cautionary tale is the individual fired for sexual harassment after repeating a storyline from Seinfeld ("Dolores!"). As I recall, he won a multi-million dollar judgement for wrongful termination.

Some industries *require* snooping

[coyote-san]

Before you get on your high moral hobby horse, remember that some industries *require* logging and reviewing all email and all other communications. Any stock broker, for instance, since it's required *by the industry itself* to ensure brokers aren't making statements they can't back up. (E.g., buy Microsoft, it's *guaranteed* to double again by April 2000 when W2K knocks Unix off of all servers!)

Even if the industry doesn't require monitoring, a company may be required to perform such monitoring by legal action which you're not aware of. E.g., the original poster's company may have been hit with a million dollar sexual harassment suit and the lawyers asked for information about what's in mailboxes as part of a discovery motion. If you, and all other sysadmins "with a backbone" refuse, your company can't comply with the court order and could face dire consequences.

Does this mean that a sysadmim should roll over and do whatever his boss asks, without question? Of course not. But part of knowing what it means to say "no" is understanding what it means to say "yes" -- and I've just listed two situations where no reasonable person can refuse to comply with the order.

Finally, don't assume you can always quit. If you refuse a reasonable order and "quit," your employer can still say you were "fired, for cause (insubordination and dereliction of duty)." If the objectionable order came from a single panicked HR person, the latter characterization couldn't stand much heat. If the objectionable order came from a court order, you better pray that your future employers never check with your previous employers.

Same in the US

[coyote-san]

Duh, in the US an employer can't scan through an employee's PERSONAL snail- or e-mail at will.

However the law presumes that the employee receives his personal mail (of all kinds) at home. Anything that the employee receives at work is presumed to be work related unless the company has formally stated otherwise.

This sounds like a minor point, but it's not. Less than a hundred years ago employers routinely monitored employee's activities (e.g., Ford Motor Company in the early part of this century was especially notorious), and they wouldn't have thought twice about firing an employee for receiving mail *at home* from an "undesirable" party. Today an employee has an extremely high expectation of privacy *at home*.

Let's keep this problem in perspective, okay?! How many people really, really need to send and receive personal e-mail from work instead of waiting until they go home (or go to a cybercafe at lunch)? How many people really, really need to download pornography at work?

"common carrier"

[coyote-san]

Common carrier status has nothing to do with it. CC status primarily protects the phone company, e.g., you can't name Ma Bell as a co-conspirator even if the murder is discussed over the phone. It only affects the public in that CC status requires service be offered to the public at a fixed, published tariff.

The right to monitor (record) the phone goes with whoever pays the bill. At home, you pay so you decide whether to tap yourself. At work, your employer pays and *they* decide whether to tap their own lines. If you want to make a private call, go use the public phone on the corner. (N.B., *you* pay for that pay phone call.) The presence of a PBX system is totally irrelevant.

Finally, the recordings several other people have mentioned is a courtesy (in most states and all interstate calls) to the *caller*, not to the employee.

Re:Selling our souls for silver and gold

[coyote-san]

Why do you assume the problem was an isolated incident?

Some people spend a *lot* of time looking at non-work related sites. Glancing at CNN every couple hours is one thing (e.g., I'm sure many parents with children trapped within Columbine first learned of the situation from the web), spending hours poring over the Sports Illustrated or E-Trade sites is another. When productivity suffers, management has to pay attention.

Focusing on porn alone, it's one thing for an accidental porn redirection (e.g., "whitehouse" expanded to "www.whitehouse.com", a porn site) or deliberate viewing after hours and/or in a office with a closed door. It's another thing to leave the material up in plain sight during working hours.

We simply don't know enough about the original situation to evaluate whether it's a reasonable request. Was this a knee-jerk reaction from an HR employee who saw a bit of shock-TV on the _700 Club_? Was it a reaction to a substantial article in an HR journal? Was it a reaction to a formal complaint about sexual harassment due to a "hostile workplace environment?"

Re:Been there, but didn't do it--here's how.

[coyote-san]

This is a management issue, not a technical one. You are a technician, not a manager.

I'm confused, this seriously undermines the rest of your argument. Technicians follow orders, they don't debate them and they certainly don't refuse to do them.

As an example, consider a technician at a Grease Monkey. What do you think would happen if he quietly refused to change the oil in a customer's car? Do you think his boss would simply ask the next one, or would they immediately fire his sorry ass? Do you think any future employer would care why he refused to change the oil?

I think sysadmins fall into a grey area between management and technicians. They aren't management, but management should listen to them when developing policies. If this objectionable policy already existed and was published, and the sysadmin didn't bother to complain about it before, then they'll get little sympathy if they object when it is time to actually enforce it. If this policy is new (or ad hoc) and management refuses to listen to their concerns, then quiting is much more defensible.

BOFH strikes again

[QuantumG]

Oh please.. The solution is simple, fake mail from inside the Human Resources department a few porn messages and hand them over to your superviser.. When nothing happens about it, make a stink saying that "You asked me to find the trueth and you have exploited your position in supressing this information".. Go on campains around the office stating how there are one rule for the human resources department and one rule for everyone else. Get a few innocent people fired and they will go ape shit and destroy the email scanning practices of the human resources department, probably with large court cases and grotesque amounts of money. The best thing about being a bastard operator from hell is that, after the initial fraud, you get to take the moral high ground and demand equality and privacy at the same time as delivering evidence of immoral behaviour.

These are not all my words I must say, I was majorly influenced by the BOFH expert in my office. Thanks Dave.

Re:France and Privacy

[JPS]

Oh well, I'm french, live in France, but think that France is a very nice place to live in, but NOT a nice country with respect to privacy. A few examples: a friend of mine works in a big bank and he told me not to send any bullshit in my email because they were all scanned.

Also, what about the 5000 illegal tappings performed by former president Mitterand himself?
And what about the recent discovery that Paris mayor Tiberi allegedly installed microphones in the offices of all his political opponents?

Why do you think that France waited so long before allowing strong encryption? Well, they waited until the economic loss due lack of encryption would be significant with respect to the fact that communications can't be tapped anymore.

Fighting the system (Add your tips here)

[Lucius+Lucanius]

Do you work in a lousy cubicle where you have no real work but have to tap the keys and pretend to be busy? Do you have a clueless boss who only tries to "keep you busy" but who doesn't (and can't) understand what you do?

Obviously, you need to do things to entertain yourself in a stealthy, yet entertaining manner.

What are the best techniques to fight back? (Add your hints, tips, and critiques).

1) A good monitor angle.

This is the best tactic against physical offensive maneuvers from management. The best angle is one which lets you see if someone is coming near you, but which obsures their view of your screen.

2) telnet.

Most places don't bother to monitor telnet. I was at a place that scanned web/e-mail. The first thing I did was login to my ISP's shell account. Once in telnet, I used lynx, irc, pine, etc. to spend the entire day in blissful entertainment. This is one of the best options left.

3) scripts - Really lousy employers count login times, keyboard hits, etc. Automate your work, or your work will make you an automaton.

4) Pre-emptive strikes.

If you have a manager who drops by too often, try going over to his cubicle to give an "update" before he comes by.

5) Easter eggs.

The one in Excel 95 has a DOOM like little game. Try playing it. fun for hours. Hit a key to go back to excel if someone comes by.

6) QBASIC/text based games.

All the usual games are too obtrusive and catch attention. Play a mud, do something in text mode.

Hmmm, that's all I can think of, and the Simpsons are on. Folks, add your own ideas.

Thx.
L.

PS - Oh, one more. Use rubber bands, binder clips, etc. to make funny, innovative devices.

France and Privacy

[gproux]

I think that there is a Law in France that forbids the employer to scan through personal mail be it snail- or e-mail.

If they do, they cannot use it as a proof for misconduct, they will be illegal and liable of Privacy Invasion and can be sued.

So come to France All!!!

Been there, but didn't do it--here's how.

[clintp]

How? I politely refused. I said, "I'm sorry, I cannot do that with a clear conscience." They may taunt, cajole, and threaten but keep repeating the mantra, "I'm sorry, I can't do this."

If you're valued enough, and good enough at your job this is not a problem. SAGE (SysAdmin Guild), IIRC, has some articles on this and what it boils down to is: nobody is forcing you to do anything. Refusal to do this is defensible. This is a management issue, not a technical one. You are a technician, not a manager.

Don't preach, don't condescend, and don't moralize. Simply and quietly refuse to do it. By not making a big stink about it you cost no-one any face. The first, second or third sysadmin that refuses to do this will make them reconsider, and not even bring the topic up in the future. Sing the company song and in every other way be a team player, just quietly refuse to do this one thing.

PS: Make very sure your own house is clean before you attempt this. If they do find anything remotely questionable in your mailbox, you'll be out in a heartbeat--with good reason.

What you should be looking for...

[Hobbex]

Pornography is not a big time waister, a couple of peeks to make a employees day better is likely to help both him and the company in the long run. Plus people work faster and better if they can releave some sexual tension every now and then.

If your company has anybody remotely techie you should start checking for slashdot instead. It takes lots of time, but gives very little sexual pleasure (sorry people :-) ).

The world needs to grow up...

-
/. is like a steer's horns, a point here, a point there and a lot of bull in between.

Electronic Communications Privacy Act of 1986

[Farce+Pest]

The above act is Public Law 99-508. You can find more information at http://thomas.loc.gov/. The relevant portion of the abstract reads:

"Amends the Federal criminal code to extend the prohibition against the unauthorized interception of communications to specified types of electronic communications. Prohibits unauthorized access to an electronic communications system in order to obtain or alter information contained in such system."

If anything, you could take the position that intercepting e-mail would violate the above act. It might at least buy you some time while your employer grumbles about lawyers.

I caught my employer reading my email

[pzil0cyb3]

I was in a dispute with one of the bosses, and we're an extremely small company and I had been writing my parents requesting help on an issue. After the day of this 'dispute' I have lost all trust for my employer and employers as a whole. My primary boss wrote me an e-mail that included a portion of an e-mail that I had sent to my dad. After I saw this, I felt rather violated.. not only did he get into my mail but he showed me that he did. Since then, other than losing the trust I had for him, I never use my work e-mail account anymore except for work purposes.

Regarding your issue, I think you should just do as you're told as far as "looking for porn" but if you find any, notify/warn the employees involved in a subtle manner while telling your employer that you didn't find anything... unless someone has excessive porn that you find bothersome and necessary to notify your employer....

Follow your guild's code of ethics

[Wookie+Athos]

(unless you disagree with it I guess :)

I would have expected to see a question like this directed to one of the sysadmin guilds you're probably a member of (what, you're not?). If you were a member of SAGE, you would be aware of the SAGE Code of Ethics. SAGE-AU has an equivalent code.

In the SAGE code it mentions:

System administrators will not exercise their special powers to access any private information other than when necessary to their role as system managers, and then only to the degree necessary to perform that role, while remaining within established site policies.

So, the bottom line: What do your organisation's policies allow?

The usual path for this sort of stuff is to get the managers in question to publish a policy (even if it's something as crappy as voicemail to all employees warning them of the policy and the consequences of breaching it). It often helps to provide a draft policy to get them started down a reasonable path.
Then your tasks are clearly defined. Without a published policy you and your managers are walking in a minefield.

Keep in mind that the published codes are there to protect you as much as anyone else. If a manager tries to force you to act against your principles you have a recourse. As a member of a guild you can point to the published code of ethics and say "sorry, I cannot do that". "And neither will any other ethical sysadmin".

Whatever you do, get your instructions from management in writing.

Fair Warning

[gavinhall]

Posted by polar_bear:

Unfortunately, legally the company has the right to do that - and I can't say that I think that anyone really has the RIGHT to be downloading porn on company time, either. If they ask to scan for something like content of email or something, that's fairly repulsive - but if they're asking to do a general scan for jpegs and whatnot, then simply ask that you're allowed to do a warning first, then scan a week later. If it's the first time that the company has tried to enforce a policy it wouldn't hurt to simply re-announce the policy and tell people to expect it to be enforced soon.

It's one thing for a company to check if you're downloading porn or something like that vs. a company saying anyone who's ever used company email for private use is going to be fired, or scanning content of email for comments about the boss or something.

Zonker

The law is irrelevant here

[JoeBuck]

Yes, companies can legally snoop all they want on their employees. They can also demand that everyone piss in a bottle once per day while the company doctor watches, sing the company song, etc. But only people with no talent or valuable skills should go along with such policies. In case you haven't noticed, we are currently in a sellers' market for technical talent.

If you are a sysadmin at a company that demands that you snoop through peoples' mail, and you feel that this violates your ethics, don't go along, and, if necessary, leave. Explain to your employer that, while you agree that it is legal, you feel that it is unethical and you will not participate.

The only reasons companies can force you to put up with this crap is because too many employees don't have any backbone. The reason for respecting employees' privacy is because it is the right thing to do. Exceptions should be made for people who aren't getting the job done.

Scan HR's mailboxes

[demi]

Just scan HR's mailboxes, and carefully. Heck, put them on some porn spam lists and allow them to see the folly of their ways.

Web Serfs

[MadAhab]

The problem with this theory is that corporations have more rights than people.

If you want privacy go get a hotmail account

And that's not private either (egregious security holes aside), since it's the corporation's data pipe, so watch what you say, Ashley.

This kind of slave attitude is responsible for a long slow slide back into feudalism. "Hey, Lord Bumsenfock is all that stands between you and the Tartars, and this is his land, so actually he does have the right to steal your food, kill your son, and deflower your daughter." There is no logic and no honor in this.

Between bootlicking nonsense and creationism, I'm terrified of how Americans are rushing back to the dark ages.

Phone calls vs. E-mail

[Lucius+Lucanius]

Here's the deal: Phone calls cannot be monitored because the phone line is considered a "common carrier" and thus not the property of the company. E-mail and files on your PC, on the other hand, are company property, so they are legally allowed to be searched. Having said that, the crux of the matter is - because a company CAN do it, doesn't mean it SHOULD. Many companies can legally set up cameras in rest rooms. Some do so(there was even a law suit, I think), but for obvious reasons, this is a despicable practice. Similarly, your manager can legally open all your drawers after you leave work, and shuffle through your papers to see if you have a copy of Playboy in there. But how many of you would want to work in a place like that? The bigger issue is this - what exactly does a company achieve by resorting to petty monitoring, other than ruining its own culture and terrifying its employees? Just imagine the massive amount of HR resources spent on this. If someone uses their company time to browse porn, it falls under the category of "Obvious No -No Activity". A company does not install cameras in the restroom to see if its employees are jacking off there. Nor does it hire Cubicle Inspectors to walk around peering over shoulders every 5 minutes to see if someone is working (though clueless managers perform this function adequately) . We rely on common sense and mutual trust in the work place to deal with these things. I am not sure why porn is any different. Obviously we don't try to monitor people who keep playboy (the paper variety) in their drawer. History-repeats-itself Dept: An old article in InfoWorld has a programmer relating a story of the old days when printers started becoming commonplace. Combined with FORTRAN, programmers actually started writing programs to print naked women on a *dot matrix* printer. (One can only imagine how desperate they must - if you've seen a dot matrix printout.) Managers promptly had meetings to resolve the "printer/FORTRAN misuse" issue. Well, it may seem laughable now, but remember - whenever a new technology comes along, this happens. Those who "get it" embrace the potential and use it in powerful and innovative ways. Those who don't get it crack down on those who do. For obvious reasons, HR people belong to the latter category. I'm surprised a Microsoft employee is in there too. ;) BTW, "vidi vici veni" is an ancient quip, kinda like the "what is mind, doesn't matter...." joke. Oh, one more note about the phone vs. email privacy. In some states, phone lines with *extensions* can be monitored legally by the employer, since they claim the extension and PBX equipment, etc., is the property of the company. This is a grey area and there have been lawsuits about this. I believe voice mail is totally the property of the company, legally speaking. Ultimately, privacy in the work place is a cultural issue. Any company which deals with sensitivity towards the employees is doing the right thing. Any company which pisses off 10000 people to find the 1 person who looks at porn, probably is out of touch with the way the world is moving. BTW, what is the policy at companies like Microsoft, IBM, Sun, Yahoo, etc? L.

No, that's a bad attitude

[Wah]

Sorry, I totally disagree, not with the fact that the company owns it (to dispute that is idiocy) but that they *should* or its *right* to spy on their employees.

I read an article yesterday from the WSJ about the practices of Herb Kelleher the wacko CEO from Southwest Airlines. When asked why his company did so well (26 straight years of profitability) he said basically because all of their employees bust their ass at work. Why? Because they love their job. Why? 'Cause they don't have to be stuck up or put up with too much stupid bullshit and are allowed to act like people not drones. Have you ever had someone sing you the safety procedures like Elvis? I did, on Southwest, flying into Memphis.
With the way businesses have to move these days (Service, service, service, it's too easy to change providers) having happy, well-adjusted, comfortable employees is beyond measure. Having scared, paranoid (because they receive a diry joke on e-mail, god forbid), and boring employees leads to that type of company.
Basically my point is that employees are there to get their work done, beyond that stay off their case.
All of this is a big reason why I chose to start my career outside of the corporate environment. I like being told and telling off-color jokes, 'cause they are just that much funnier.

(BTW the notebook example was much more accurate than your handkerchief one)