63% Of Corporations Plan To Read Outbound Email 565
John writes "Aviran's place reports that a recent survey of 332 technology decision-makers at large U.S. companies reveals that more than 63% of corporations with 1,000 or more employees either employ or plan to hire workers to read outbound email, due to growing concern over sensitive information leaving the enterprise through email."
Re:Yeah this is great (Score:1, Informative)
Gmail is useful for stopping this. (Score:1, Informative)
Well, here's the trick. Log in normally (not much choice), but after you do, change that http://gmail.google.com/stuff [google.com] to https://gmail.google.com/stuff [google.com] again. It'll give you the "loading" crap again, but afterwards, you're using Gmail normally but now it's encrypted.
Assuming they're snooping on you (you should figure this for a given, even if they're not--it's just good habit), now all they've got is the HTML from your inbox. If you're like me and filter all your normal email into various labels and have it "archived" (skip the inbox), they see hardly anything at all.
Yeah, I know. Some are convinced that Google is saving your email for a zillion years (they're not, but deletion is a "lazy" operation, and the computer might not get around to it for a day or two after you actually delete things), but unless you leave it on Google's servers after you need it, you don't have much to worry about. Especially not compared to your employers who probably ARE reading it whether you want to or not.
Sadly, I don't know of any way to do this directly from Hotmail or Yahoo. I guess you can set up a tunneling proxy at home and encrypt the traffic through it, but if you just want to shield your email, what I just said is the easiest way I know of to do it.
[For the clue-impaired, don't try clicking on those links Slashdot insists on making. Just log into Google & look at the URL in the address bar it sends you to.]
Liability, meet culture, meet ethics (Score:3, Informative)
On the other, this just means smaller companies will get better employees who don't want to be drones. That's one of the reasons I started my own - I hate oversight, and am bad at playing employee.
On the gripping hand, ethics are important. And they're hard in large companies. To some extent, if you're a large corp, you need process in place of understood ethics, because the former is enforcable and the latter much less so. I still think the balance tips to small corps. But then, we can't turn out replacement Apple CPUs, so our role is constrained.
Re:Gentlemen don't read others gentlemen's mail... (Score:5, Informative)
Law shmlaw (Score:3, Informative)
Believe or not there are actually at least four different bases [harvard.edu] on which you could (but probably won't be able to successfully) argue for a right to privacy with regard to email communications sent from work:
(i) The Fourth Amendment to the U.S. Constitution, which reads: "[t]he right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures" -- but which only applies toward government action (although some pretty surprising apparently private actions can qualify as "governmental");
(ii) the Electronic Communications Privacy Act (ECPA), which covers email, and prohibits "(1) unauthorized and intentional 'interception' of wire, oral, and electronic communications during the transmission phase, and (2) unauthorized 'accessing' of electronically stored wire or electronic communications." -- but allows exceptions for companies which provide internet service, and does not apply if the employee consents to ECPA violations;
(iii) State statutes, which obviously vary wildly from state to state. The article that I'm using as my primary source notes that " Members of state legislatures have attempted to pass bills that would strengthen the protections of workers against electronic monitoring in the workplace, but they have generally failed because of sustained and effective corporate lobbying." (*mweheheheheh*).
(iv) Common law (which also varies from state to state) which sometimes recognizes an "actionable right to privacy" -- but under different caveats in each state.
Ummm . . . so yah -- it's complicated, so much so in fact that it's an open question in various states whether or not its legal. Also -- not surprisingly -- the legality of the monitoring will often depend on the purpose of monitoring, the purpose of the communication, sometimes even the industry you're working in, etc. Good luck figuring it out -- especially if you signed a (now practically standard) agreement allowing your employer to snoop through your work emails at will.
Generally, when the law is this fuzzy, corps will do whatever is in their best interest, and count on their lawyers being better than your lawyer if you sue. They're generally right. So assume that your workplace email communications are being monitored. We are the point now that it is never a good idea to send via email something you wouldn't mind all your colleagues seeing. Use Yahoo! or Gmail and at least make it a challenge for BigBroCorp to keep tracking of your on the job dicta. Of course, sending risque stuff from your workplace email may be your chance to be [snopes.com] famous [snopes.com]. Hehe.
Regards,
Moiche
Some companies are required by law to snoop. (Score:3, Informative)
Re:Law shmlaw (Score:2, Informative)
On the other hand, if you are certain that your policy does not tread on this kind of territory, and you monitor the information that goes out between say a department providing a routine, non-regulated service and the customers, you can of course monitor this communication, or at least, it will not be improper to ask the employee to consent to this monitoring.
I have a somewhat distorted viewpoint, I suppose, since much of my career has been spent as an IT professional attached to the Office of General Counsel for a multinational corporation, where my clients were attorneys, industrial health and safety engineers, air and water quality specialists, and lobbyists. In that environment there is no question that communication is guaranteed to be confidential, and absolutely must not be subjected to any sort of routine interception.
I don't see this as anything like a boundary case or as being unusual at all. But I'm sure I have a bias, and I may assume that more companies and organizations must maintain strict protocols on confidentiality, even within the enterprise.
While scanning the slashdot posts on this I saw HIPAA mentioned quite a bit. I suppose people assume it would be obviously proper to have a security group monitoring correspondence, but I'd expect it to be much more likely that this security group would constitute a violation, unless everyone in that group was permitted to be in the loop on every piece of correspondence. I sincerely doubt that *increasing* the number of eyes on every document will pass HIPAA muster. I certainly would not assume this to be okay. Are you seriously going to pay licensed physicians to man your IT security department? There's no way you're going to be able to outsource this role to Pinkerton or Wackenhut.
When it gets into information that is regulated under the CFR, you'd better not take for granted that merely being designated as "the employer" gives you special rights that trump the federal laws.
But don't listen to me. As I said, my experience with this stuff was in a context where the employees *were* the lawyers, and the communications were often of a very sensitive nature, and confidentiality was assured even to the extent that no-one, not the board of directors, not the FBI, and definitely not some random security manager, was allowed to snoop. But I don't think that's a special case. I think it delineates the reason why management personnel should not execute a plan on the assumption that their company is a kingdom and they are the monarch. There are *lots* of rules that say otherwise, and breaking some of which can lead to managers doing the perp walk if they cross the wrong lines.
Re:Some companies are required by law to snoop. (Score:2, Informative)
Re:I work for a bank. (Score:1, Informative)
The SEC also gets rather in a huff if traders are not closely monitored for violations of sections 16 and 20 of the Securities Exchange Act, both of which mainly apply to insider trading.
Re:Gentlemen don't read others gentlemen's mail... (Score:2, Informative)
Re:Good luck reading secure webmail (Score:2, Informative)
plugin for that kind of things...
http://www.squirrelmail.org/plugin_view.php?id=15
Of course you got to have your own webmail, but without it, security is pointless
Re:You do realize... (Score:2, Informative)
Re:Good luck reading secure webmail (Score:3, Informative)
Two words: hardware keylogger [keyghost.com].
Re:ROT 13 (Score:2, Informative)
it should be expected (Score:3, Informative)
The only reason there aren't more employers monitoring email is simply due to a lack of manower to do it.
Bottom line: never assume privacy. Only assume better privacy by actively employing measures yourself. (pgp etc) And of course if you're using pgp on on your employer's computer, isn't that a major false sense of security? (if it's not owned by you, consider it 0wn3d)