Slashdot Log In
US Firms Read Employee E-mail On a Massive Scale
Posted by
timothy
on Thu May 22, 2008 08:12 AM
from the this-call-may-be-monitored dept.
from the this-call-may-be-monitored dept.
An anonymous reader writes "In its fifth annual study of outbound e-mail and data loss prevention issues, Proofpoint found that 41% of the largest companies surveyed (those with 20,000 or more employees) reported that they employ staff to read or otherwise analyze the contents of outbound e-mail. 22% of these companies said they employ staff primarily or exclusively for this purpose."
Related Stories
[+]
Ask Slashdot: How Pervasive is ISP Outbound Email Filtering? 281 comments
Erris writes "A member of the Baton Rouge LUG noticed that Cox checks the text of outgoing email and rejects mail containing key phrases. I was aware of forced inbox filtering that has caused problems and been abused by other ISPs in China and in the US. I've also read about forced use of ISP SMTP and outbound throttling, but did not know they outbound filtered as well. How prevalent and justified is this practice? Wouldn't it be better to cut off people with infected computers than to censor the internet?"
Submission: U.S. Corporations Massively Read Employee E-mail by Anonymous Coward
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Get back to work! (Score:5, Funny)
Re:Get back to work! (Score:5, Interesting)
Images were displayed of what people were surfing. I also attached the ip address of the user to the image.
It stopped inappropriate internet surfing in that office in 3 days.
When everyone can wee what you are doing, you get back to real work.
Parent
Re:Get back to work! (Score:5, Funny)
Parent
Re: (Score:3, Insightful)
Also, Tor and/or encryption.
Re:Get back to work! (Score:4, Informative)
Yet, I don't know who has managed to slit my tires consistently for the past 3 years since I started this approach. Also, since I never get asked to company socials I've got more free time to think of even more creative ways to piss off my fellow staff members.
Of course this all could be solved if we worked in a business that required actually creating/inventing products instead of managing peoples services.
Parent
Re:Get back to work! (Score:4, Informative)
Parent
Not even Google would allow "special" browsing ... (Score:5, Insightful)
Note that the original poster wrote 'I stopped "special" surfing at the office'. There is a pretty high probability that this is referring to porn. Tolerating employees visiting porn sites is one way a company can get sued. Of course while the solution described in this article is cool and amusing, it is probably another way to get a company sued.
Ever wonder why Google is so successful?
Inertia mostly. They had a brilliant idea a while ago and have refined it since then to maintain competitiveness. Google has done many cool things since then but they are mostly a drain on success or neutral, some mild successes, but no big successes outside the original domain. Also, it is doubtful Google allows employees to browse porn sites either. With their deep pockets their fears regarding law suits are going to be pretty high.
Clue: "Law of Small Numbers", http://en.wikipedia.org/wiki/Hasty_generalization [wikipedia.org].
Now at least one element of Google culture, allowing employees the time to work on pet projects that many benefit the company, may have a proven track record. 3M allowed this for decades and many useful products emerged. Google may follow 3M's lead, but it is a little early to pass judgement.
Parent
No hidden agenda here (Score:5, Insightful)
It may be just me, but I get really suspicious when a company in any business sponsors a survey and then uses the results to justify their own existence.
Re:It's a waste of money. (Score:5, Insightful)
If they are disclosing that they monitor your use of their resources, you can choose if you are willing to put up with it or not.
Parent
Is this surprising? (Score:5, Insightful)
Don't use your work email for personal stuff. It was never a good idea, and it's becoming ever less of a good idea. Don't say anything in an email that you wouldn't say in person or in writing. Be professional.
Also, don't forward chain letters, don't send around forwards of kitten pictures, pr0n, jokes, political screeds, etc. etc. Most people don't want to get it and you're wasting bandwidth.
Re:Is this surprising? (Score:5, Insightful)
Personal emails should only ever be sent from personal email accounts. That's just common sense.
After all, how dumb is it to put personal information into a system that is likely to see it archived for years in a system you are unlikely to have any control over.
Work email should be just for that, work. Just saying that won't work though, people, especially people who use computers, act with some kind of weird collective stupidity at times that can cause even the most sensible people to do and say things they would never do otherwise.
Better to monitor and make sure everyone follows the rules then have an email from your company showing up on the Internet saying something you would never condone.
Before any 'ooh, I've read 1984 so I am an expert on surveillance societies' morons chip in, I'm talking about the cold hard reality of business here. One wrong word can send stock prices through the floor.
Parent
Re:Is this surprising? (Score:5, Interesting)
I was shocked at what I saw. People shopping around their resume, looking for new jobs. People emailing people who they were involved with in an extra-marital affair. And lots of the other junk you mention. And this was primarily involving execs.
Parent
re: personal email at work (and alternatives) (Score:4, Insightful)
Some employees don't even have a home computer with Internet access, so all their friends start sending their "funny photos", jokes, and so forth to the only contact address they can find for the person - the work email.
You *could* "blacklist" those people from sending you things, but come on! These are the employee's friends or relatives. They really don't want to block everything they might send them, because sometimes it's relevant or useful.
Parent
Your rights? (Score:3, Insightful)
Re:Your rights? (Score:5, Insightful)
I agree with you. Also, it doesn't even have to be like that.
I see it like writing a letter and using company letterhead - only it's a domain for email. Your correspondence can imply that it's part of the business of the company you're sending it from. Now, I know someone is going to write, "So, if I send an email from my Yahoo! mail account it implies that I'm doing Yahoo! business?!"
No. That's not what I'm saying. If I'm at my place of employment and send an email to someone that may be inflammatory, offensive, threatening, or whatever, someone can come back and say, "Hey, what's this? Someone at XYZ Inc. is threatening folks?!?"
Parent
Re:Your rights? (Score:4, Insightful)
The company can solve this problem by making sure that it doesn't block web mail sites. After all, the problem is the domain name right?
Parent
Not at my company (Score:5, Funny)
Surprise? Nope. I had a boss, once... (Score:5, Informative)
I didn't realize the extent of their monitoring! In the contract, it simply said 'all available facilities will be used to monitor employees while working'. I figured they'd check my email once in a while. They read emails, login/logout times, tracked employee positions (cameras in the office! A friend of mine was fired for taking breaks, when he went into his 'final' meeting, they showed him a time lapsed video of himself!) and recorded phone calls.
All this would come up only when they had a problem with your work - If you produced results, they didn't care what you did otherwise, but if you weren't getting sales, they found some other reason why you were doing poorly...
I spent 2 weeks skipping breaks and working through lunch trying to get a big (BIG!) contract and I was asked by my manager to do try to get this contract. I spent the rest of my time trying to make some money in the meantime... and I was brought into the office one day and they presented me with the emails I'd sent to my wife during those two weeks and told me that I was wasting company time. I told them they needed to look at the cameras to see I never left my desk, and to check the phone tapes for the last week to see that I was working hard. Turns out they only saved the conversations for a day or two...
I never got 'disciplined' for poor results after that.
Re:Surprise? Nope. I had a boss, once... (Score:5, Insightful)
Parent
Re:Surprise? Nope. I had a boss, once... (Score:4, Insightful)
I also have to point out that the people who do actual work are the ones impacted by this sort of bullshit. Executives don't get disciplined/fired for sending a three-line email to their spouses unless one of the other executives wants them gone for some reason.
Parent
Employers should be reasonable (Score:4, Insightful)
I always told my employees that as long as they got their work done with good quality and on time, we would get along just fine. If they abused that trust they might get a warning but only once. And you know what? It worked. I've had very little turnover and high morale and my employees really worked hard. Sending a few innocuous emails to a significant other doesn't qualify as a breach of trust. Looking at porn in the workplace would be a firing offense. It's really all about what is reasonable.
Parent
Re:Employers should be reasonable (Score:4, Insightful)
What does this mean for employees? Develop expertise. If your skills are in reasonably high demand, and you can't be easily replaced, the power weighs heavily on the side of the employee.
Parent
Re:Employers should be reasonable (Score:4, Insightful)
The employer/employee relationship is not equitable only if you let it be that way. They need something done and are offering you compensation to do it. That's a fair trade. If the company is not offering fair compensation in reasonable working conditions then don't take the job. Yes, sometimes you'll run into some assclown running the show. Move on as soon as circumstances allow. It's a big world and life is too short to spend it working for jerks.
Parent
"Otherwise analyze" (Score:5, Insightful)
I would imagine that that breaks down to 100% running scanners against email and maybe looking at flagged messages and 0% routine reading of email.
Given the tedium of slogging through just my own email, you couldn't pay me to spend all day doing that for other people.
don't use work email for anything personal (Score:4, Insightful)
wow, talk about a non-issue.
Re:don't use work email for anything personal (Score:5, Interesting)
Parent
Cool Job!! (Score:4, Funny)
I would like to apply for the job of Chief Sneak and Tattle-tale at your company. I believe I have the relevant nosiness, curiousity and contempt for my fellow employees, along with an over-riding ability to toady to management. I also love lauding it over other people that I know their business.
Re: (Score:3, Funny)
Re: (Score:3, Funny)
Should this surprise anyone? (Score:4, Insightful)
How many have to? (Score:5, Informative)
Re:How many have to? (Score:5, Informative)
Of course the brokers knew that was the case when they were hired. You can't argue with the SEC.
I know that there is bad, privacy-invading snooping going on in some firms, but when I see statistics like "41%" I want to know how many were doing it because they had to vs how many were just being creeps.
Parent
Not available in all countries... (Score:5, Informative)
ttyl
Farrell
Re:Not available in all countries... (Score:4, Informative)
Email is treated like paper mail, however if it is addressed to the company, then they own it. and can read/open and redirect as they see fit.
The company, or anyone cant read your personal mail, but if it has the companies address on it, it is addressed to them, so they can.
Parent
Believe it or not, you asked for it (Score:5, Informative)
A receptionist for our company was fired for sending out bulk pornographic email, including video. He has done it for months. He's suing us, because he claims he was fired because he is gay. We only have a few of those emails that he send on backup because our backup only goes so far, will it be enough to not have to pay him big bucks and rehire him?
An accountant was fired for gross incompetance. She fouled up our main systems, needed her password reset with the Feds at $100 a pop several times a month, etc. Finally, she comes in and demands to work 30 hours but still get 40 hours pay. She was fired after a public tantrum. She is suing us, because she is black and claims racial discrimination. We need a LOT of documentation to back up our claims that she wasn't a good employee, because she can just say we don't have enough black people, and that can be considered proof of discrimination by itself.
We are heavily regulated about customer information. If someone emails out another persons personal information outside the company, and it makes the news, we all suffer. We have to monitor for that too.
We have to take preventative measures to block bad language from coming in and going out. We can get sued because an employee called a customer a f*cker in an email, or because someone saw a dirty joke on someone else's screen (sexual harassment).
Laws were written up to protect the "little guy", so now we have to prove to government agencies that we have made accurate hiring and firing decisions. We have to support our claims, and take preventive action, because there are so many ways that we can get screwed by employees I can't even count them.
This week we had to let someone go because they came up short by $750. We had two people dedicated to figuring out what happened for two days. We spent a lot on money and time, and we are looking forward to the inevitable lawsuit. We have email to back it all up, and because of procedures we have in place, the emails are professional and straightforward, instead of causal and possibly derogatory. It took us a while to get here, but yes, this is what you asked for. By increasing our risk through lawsuits and regulatory compliance, we have to manage that risk by monitoring our employees.
Go swear to your friends at home.
Re: (Score:3, Insightful)
re: email filtering and archiving (Score:4, Insightful)
It seems to me that practically all of the issues you're bringing up could be handled successfully by retaining good email backups, going back for a reasonable length of time?
Our company doesn't do anything special in the way of attempting to read employee's emails or filter their content. But we DO have backup systems that dump copies of all the mailboxes onto nightly backups, and we keep a couple alternating "month end" tapes, plus a "year end" tape that's archived away.
This way, if something actually comes up, there's a decent amount of supporting email evidence that can be retrieved for that specific situation.
Otherwise, employees have a general expectation that nobody's monitoring their daily email correspondence in a "big brother" fashion.
Parent
If people watch the e-mails... (Score:3, Interesting)
Don't like this? I have a solution. (Score:4, Interesting)
1) Work for companies with over worked and under-budged IT departments who fight fires daily and have no long term plans - These companies are highly likely not to have any time to be reading your emails. Hell, you'd be lucky if the mail server stays up all week.
2) Write emails in foreign languages. In North America this works well, where so many people only speak English. Alternatively, teach your loved ones to use encryption in emails.
3) Use a fax machine. I know, waste of paper, but most companies don't have technology implemented to sniff/wiretap fax transmissions.
4) RDP to your home PC and write an email from there to your loved ones.
5) Make calls from conference rooms instead of your desk. This won't work if you call people daily, but its good if you need to make personal calls once a week or so. At the very least, it won't show up on your phone's call log, or the PBX's log about your phone.
6)If none of these are an option, you are working for a company that doesn't respect your privacy. Stand up for yourself, and go find another job.
Boy, are US companies taking big risks! (Score:4, Interesting)
Talk about a confusing issue. You require outright consent from employees AND the party your emailing. Period. No exceptions. Simply stating 'we monitor all emails' will not hold up in court - should it ever come to it - you need permission from that individual employee - or all employees and have a readily available record of their consent.
If what I'm reading is correct, its far easier to leave your emails alone, and then search if you have an issue with court permission, than it is to be actively reading emails.
Yeah... the Government even requires it (Score:3, Informative)
1) Because my company is a SEC & NASD registered company we are *required* by law to both actively monitor (in some instances we stop emails mid stream and hold them in a queue until a reviewer approves them) and archive all email/IMs of all employees who carry a license with those organizations. To not do so would be considered criminal activity and we would incur huge fines (hundreds of millions of dollars). We've been fined before; those fines were creatively structured to require that we invest XXX millions of dollars into systems that allow us to meet the requirements. A very basic example of the type of thing we monitor for are indications of insider trading. More than one broker has been let go after being caught trading unethically.
2) The second major reason we monitor electronic communications is to limit the liability of the company by halting the distribution (usually unintended) of non-public information... also known as NPI. A basic example of the types of things we monitor for are things that impact the financial well being of our customers (both people and business customers) such as account numbers, SSNs, passwords, insider company information, etc. Everyone who works at my company is subject to this second type of monitoring.
Naturally having these systems in place opens those who are being monitored to having their communications scrutinized for other types of violations... namely violations of corporate policy. i.e. use of profanity or other behavior deemed inappropriate and not considered behavior that is acceptable as representative of the corporation's image. We do actively scan for these types of issues, but generally just file the information away in case it triggers a customer complaint or is identified as repetitive and needs to be addressed by a person's manager.
I don't want to discuss the products we're using today because that is proprietary information, but I can tell you without a shadow of a doubt what direction the monitoring industry is going. There are already a handful of companies who can actively monitor data using a common set of rules/policies at ever layer of the infrastructure. There's a company called Orchestria, for example and who we have been talking to recently, who through a centralized policy engine can monitor literally everything you do on your computer through agents installed on the desktop, agents installed on IM gateways, agents installed on mail servers, agents installed on proxy servers and a border agent appliance that ideally sits in the DMZ that will perform packet level scanning and can block literally anything that it can read from those packets... going as far as to block encrypted data or brute force hack encrypted data on the fly and hold it in queue until it is scanned.
Scary right?
It depends on who you are I guess. As a technical person and admitted nerd I think that's cool as hell. It's the conspiracy theorist in me who is scared.
Re:Secure your email (Score:5, Insightful)
Small companies? One admin who does email in addition to everything else. Mid-sized companies? There's prolly one, maybe two dedicated admins, and they're more interested in using your emails as a means to track SMTP problems than in reading what's in 'em.
Large corps? Heh - you're just begging for attention if you start flinging around abnormal-looking SMTP traffic; esp. in really big companies that get a touch paranoid about such things as corporate espionage.
You'd be better off risking the attention of the proxy-minders with webmail than by dicking around with encryption on your email client. Using the proggies you linked to also tends to stick up like a sore thumb in any workstation app auditing... and you could conceivably get fired faster for loading unauthorized software onto your corp-issued equipment than a quickie email to your girlfriend describing in graphic detail at what you want to do to her when you get home.
Besides, most email admins have better things to do than grep emails (e.g. battle spam, figure out and fix bounces from remote mis-configured servers, curse at Verizon's RFP-non-compliant configs, keep enough inodes handy in /var, pound the load averages down to something sane, beg the powers-that-be for decent equipment, etc).
Unless your corp specifically has good reason to be ultra-anal about security (e.g. gov't contractors, Microsoft/Intel/IBM-sized corps, etc), then monitoring user emails with anything beyond simple log and traffic grepping tools is a waste of resources and time. Any company that spends more time watching their employees than their customers is a company that isn't long for the world these days.
Parent
Re:Secure your email (Score:5, Insightful)
Large corps? Heh - you're just begging for attention if you start flinging around abnormal-looking SMTP traffic; esp. in really big companies that get a touch paranoid about such things as corporate espionage.
There is an implied point here that deserves highlighting.
The people who are employed specifically to analyse outgoing mail, aren't looking for you emailing your girlfriend during working hours, forwarding chain letters, or calling your boss names. They're looking for the folks whose "inappropriate" mail will cost the company big $$$$ - corporate espionage, sexual harassment, etc.
Most people will never be in position to be monitored thus, because they'll just never be "important" enough.
Parent
Re:Secure your email (Score:4, Interesting)
Have you considered, perhaps you're being a tad hysterical here?
I work at one of those "ultra-anal" defense contractors... a biggun... and know our IT processes quite well, including the realities.
They don't "frog march" people out the door for those sorts of things. Actually, the IT security guys are lucky if they can get engineering to pay attention to them at all.
Except in SCIFs, then it's a different matter.
C//
Parent
Re:Secure your email (Score:4, Informative)
Did you even read the links? You aren't loading an executable of any kind. Those are instructions for placing a S/Mime certificate in the correct place so the "proggies" you use already can find and use them. The same can be done with Lotus or any other decent email client produced in the last 5 years or so.
Frankly, if you're doing any sort of business at all, and you AREN'T using encryption... you're an fool. Economic espionage [bbc.co.uk] can wipe out your business.
Parent
Re:It's not work monitor emails that bugs me. (Score:5, Interesting)
One of their duties is guarding the ESA launch site in French Guiana, so some Slashdotters might be into that. Plus, working out and is a lot like "leveling up," as our friends at XKCD remind us. Just think of it as a real-life RPG.
Parent
Re:Ah, the beauty of being bi-lingual (Score:5, Funny)
Parent
Google loves HTTPS (Score:3, Interesting)
This is VERY VERY important. If you're looking for a career elsewhere, then the difference between Google analyzing and aggregating your data as opposed to your boss knowing that you're exploring your options is HUGE.
Also keep in mind that Google offers several services that operate on HTTPS: Google Reader [google.com] (great for bypassing those stupid web-filters that block political sites at repressive c
Re:Google loves HTTPS (Score:4, Insightful)
Parent
Re:Google loves HTTPS (Score:4, Informative)
Parent