63% Of Corporations Plan To Read Outbound Email

John writes "Aviran's place reports that a recent survey of 332 technology decision-makers at large U.S. companies reveals that more than 63% of corporations with 1,000 or more employees either employ or plan to hire workers to read outbound email, due to growing concern over sensitive information leaving the enterprise through email."

Re:Yeah this is great

[Anonymous Coward]

I believe trillian pro supports jabber. I'm not sure about the free version though.

Gmail is useful for stopping this.

[Anonymous Coward]

Assuming you can get to Gmail from work (not a given), note how you log in as https://gmail.google.com/stuff [google.com] but after you enter your username & password, it becomes just http://gmail.google.com/stuff [google.com]?

Well, here's the trick. Log in normally (not much choice), but after you do, change that http://gmail.google.com/stuff [google.com] to https://gmail.google.com/stuff [google.com] again. It'll give you the "loading" crap again, but afterwards, you're using Gmail normally but now it's encrypted.

Assuming they're snooping on you (you should figure this for a given, even if they're not--it's just good habit), now all they've got is the HTML from your inbox. If you're like me and filter all your normal email into various labels and have it "archived" (skip the inbox), they see hardly anything at all.

Yeah, I know. Some are convinced that Google is saving your email for a zillion years (they're not, but deletion is a "lazy" operation, and the computer might not get around to it for a day or two after you actually delete things), but unless you leave it on Google's servers after you need it, you don't have much to worry about. Especially not compared to your employers who probably ARE reading it whether you want to or not.

Sadly, I don't know of any way to do this directly from Hotmail or Yahoo. I guess you can set up a tunneling proxy at home and encrypt the traffic through it, but if you just want to shield your email, what I just said is the easiest way I know of to do it.

[For the clue-impaired, don't try clicking on those links Slashdot insists on making. Just log into Google & look at the URL in the address bar it sends you to.]

Liability, meet culture, meet ethics

[abulafia]

One one hand, liability concerns drive this kind of crap. We have too much law. (Yes, this means you, those of you who want to bind corporate hands at every turn - SOX means bosses reading your email, in many cases. Hope you enjoy sticking it to your ass, I mean, the man.)

On the other, this just means smaller companies will get better employees who don't want to be drones. That's one of the reasons I started my own - I hate oversight, and am bad at playing employee.

On the gripping hand, ethics are important. And they're hard in large companies. To some extent, if you're a large corp, you need process in place of understood ethics, because the former is enforcable and the latter much less so. I still think the balance tips to small corps. But then, we can't turn out replacement Apple CPUs, so our role is constrained.

Re:Gentlemen don't read others gentlemen's mail...

[romcabrera]

login using https://gmail.google.com instead of http://gmail.google.com

Law shmlaw

[Moiche]

In response to the numerous posters wondering whether the practice of monitoring employee email is legal: the one thing you can be sure of is that anyone who tells you straight yes or straight no doesn't know what they are talking about.

Believe or not there are actually at least four different bases [harvard.edu] on which you could (but probably won't be able to successfully) argue for a right to privacy with regard to email communications sent from work:

(i) The Fourth Amendment to the U.S. Constitution, which reads: "[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures" -- but which only applies toward government action (although some pretty surprising apparently private actions can qualify as "governmental");

(ii) the Electronic Communications Privacy Act (ECPA), which covers email, and prohibits "(1) unauthorized and intentional 'interception' of wire, oral, and electronic communications during the transmission phase, and (2) unauthorized 'accessing' of electronically stored wire or electronic communications." -- but allows exceptions for companies which provide internet service, and does not apply if the employee consents to ECPA violations;

(iii) State statutes, which obviously vary wildly from state to state. The article that I'm using as my primary source notes that " Members of state legislatures have attempted to pass bills that would strengthen the protections of workers against electronic monitoring in the workplace, but they have generally failed because of sustained and effective corporate lobbying." (*mweheheheheh*).

(iv) Common law (which also varies from state to state) which sometimes recognizes an "actionable right to privacy" -- but under different caveats in each state.

Ummm . . . so yah -- it's complicated, so much so in fact that it's an open question in various states whether or not its legal. Also -- not surprisingly -- the legality of the monitoring will often depend on the purpose of monitoring, the purpose of the communication, sometimes even the industry you're working in, etc. Good luck figuring it out -- especially if you signed a (now practically standard) agreement allowing your employer to snoop through your work emails at will.

Generally, when the law is this fuzzy, corps will do whatever is in their best interest, and count on their lawyers being better than your lawyer if you sue. They're generally right. So assume that your workplace email communications are being monitored. We are the point now that it is never a good idea to send via email something you wouldn't mind all your colleagues seeing. Use Yahoo! or Gmail and at least make it a challenge for BigBroCorp to keep tracking of your on the job dicta. Of course, sending risque stuff from your workplace email may be your chance to be [snopes.com] famous [snopes.com]. Hehe.

Regards,

Moiche

Some companies are required by law to snoop.

[caxis]

I work for a life insurance company and just wanted to point out that any information systems that contain or have access to EPHI (Electronic Protected Health Information) are bound by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) which specifies in more than one part that measures must be taken to ensure EPHI is kept confidential. This INCLUDES monitoring outgoing e-mail. My company is small, our IT department consist of 4 programmers, a network admin, 2 help desk people, a production operator, 3 business analyst and a manager. We don't want to be bothered with this crap, but we are obligated by law.

Re:Law shmlaw

[fishbowl]

Privileged correspondence, as between an attorney and a client, or a physician and a patient, or a broker and an agent, can carry privileges that do not have exceptions for an IT security manager, an HR manager, or a general manager, or anyone else. This could get sticky if a company made a ham-handed policy of putting a non-privileged party in the path of a privileged communication. There's a whole world of situations where it is improper for certain kinds of information to be shared, even if it is up a chain of management hierarchy, or at the command of a security department. The possibilities for conflicts of interest, breach of mandatory protocols, commerce codes, or insider information, are everywhere.

On the other hand, if you are certain that your policy does not tread on this kind of territory, and you monitor the information that goes out between say a department providing a routine, non-regulated service and the customers, you can of course monitor this communication, or at least, it will not be improper to ask the employee to consent to this monitoring.

I have a somewhat distorted viewpoint, I suppose, since much of my career has been spent as an IT professional attached to the Office of General Counsel for a multinational corporation, where my clients were attorneys, industrial health and safety engineers, air and water quality specialists, and lobbyists. In that environment there is no question that communication is guaranteed to be confidential, and absolutely must not be subjected to any sort of routine interception.

I don't see this as anything like a boundary case or as being unusual at all. But I'm sure I have a bias, and I may assume that more companies and organizations must maintain strict protocols on confidentiality, even within the enterprise.

While scanning the slashdot posts on this I saw HIPAA mentioned quite a bit. I suppose people assume it would be obviously proper to have a security group monitoring correspondence, but I'd expect it to be much more likely that this security group would constitute a violation, unless everyone in that group was permitted to be in the loop on every piece of correspondence. I sincerely doubt that *increasing* the number of eyes on every document will pass HIPAA muster. I certainly would not assume this to be okay. Are you seriously going to pay licensed physicians to man your IT security department? There's no way you're going to be able to outsource this role to Pinkerton or Wackenhut.

When it gets into information that is regulated under the CFR, you'd better not take for granted that merely being designated as "the employer" gives you special rights that trump the federal laws.

But don't listen to me. As I said, my experience with this stuff was in a context where the employees *were* the lawyers, and the communications were often of a very sensitive nature, and confidentiality was assured even to the extent that no-one, not the board of directors, not the FBI, and definitely not some random security manager, was allowed to snoop. But I don't think that's a special case. I think it delineates the reason why management personnel should not execute a plan on the assumption that their company is a kingdom and they are the monarch. There are *lots* of rules that say otherwise, and breaking some of which can lead to managers doing the perp walk if they cross the wrong lines.

Re:Some companies are required by law to snoop.

[caxis]

We don't intercept that communication, we are a life insurance company who have records of peoples EPHI. The only way we'd ever see EPHI through outgoing mail is if someone were committing a violation anyway. HIPAA affects everyone, company wide. There is no special license for IT, we are just bound by HIPAA. We work at the company so we are going to see SSNs and EPHI in the course of our daily work anyway. The entire idea of anyone being mad that IT saw their info is ludicrous considering we are the ones that maintain the information systems that house the data. I mean, get real.

Re:I work for a bank.

[Anonymous Coward]

Actually, it's to ensure that such confidential information isn't going out over such unsecured media (google Gramm Leach Bliley -- the financial industry is heavily regulated, and privacy is no exception). If it's encrypted (and being sent to someone who otherwise has a legal right to the information, i.e. customer or legitimate business partner), then it's generally fine.

The SEC also gets rather in a huff if traders are not closely monitored for violations of sections 16 and 20 of the Securities Exchange Act, both of which mainly apply to insider trading.

Re:Gentlemen don't read others gentlemen's mail...

[bleak sky]

No. If you actually login by going to https://gmail.google.com [google.com], the entire session remains encrypted.

Re:Good luck reading secure webmail

[dvaldenaire]

Keystroke logging ? SquirrelMail has a perfect
plugin for that kind of things...

http://www.squirrelmail.org/plugin_view.php?id=159 [squirrelmail.org]

Of course you got to have your own webmail, but without it, security is pointless :)

Re:You do realize...

[parliboy]

No, but the keystroke logger still picks it up.

Re:Good luck reading secure webmail

[Tim C]

To have privacy, you have to find some obscure Unix distro (Red Hat isn't obscure enough; they have that covered too) and use it.

Two words: hardware keylogger [keyghost.com].

Re:ROT 13

[nicolaiplum]

Definitely worked to email people I know whose work email spam filter was over-enthuriastic about things like "scunthorpe".

it should be expected

[v1]

Anyone using someone else's communications technology should not expect their communications to be private from the owner of the technology. This includes phone, email, SMS, etc. I take it for granted that if I'm on the phone with someone there may be a lineman down the block testing the phone lines and may overhear part of my conversation. I don't believe my employer is currently reading my email, but I totally believe in their right to do so.

The only reason there aren't more employers monitoring email is simply due to a lack of manower to do it.

Bottom line: never assume privacy. Only assume better privacy by actively employing measures yourself. (pgp etc) And of course if you're using pgp on on your employer's computer, isn't that a major false sense of security? (if it's not owned by you, consider it 0wn3d)