Forgot your password?
typodupeerror
Privacy Communications Your Rights Online

63% Of Corporations Plan To Read Outbound Email 565

Posted by timothy
from the oh-that's-sensible dept.
John writes "Aviran's place reports that a recent survey of 332 technology decision-makers at large U.S. companies reveals that more than 63% of corporations with 1,000 or more employees either employ or plan to hire workers to read outbound email, due to growing concern over sensitive information leaving the enterprise through email."
This discussion has been archived. No new comments can be posted.

63% Of Corporations Plan To Read Outbound Email

Comments Filter:
  • by rd4tech (711615) * on Tuesday June 07, 2005 @10:24PM (#12754134)
    The funny thing is... well, not so much funny as it is disturbing, signing an employment contract.

    Remember that signature on that thick paper you've signed prior getting that high paid tech job? The one saying that everything you think of during working hours is theirs? The one that maybe is saying (in some cases) that everything you think on and off during working hours, while employed or 3 years after also belongs to them?

    Well, it seems to me, and I might be way off here, that thinking up an email by an employee is in fact his company's property and hence, they have all the rights to read it, and it doesn't breaks anyone's right to privacy.

    Can anyone with legal experience enlighten me on this one? Do the bastards have the right to do so, provided that one doesn't sign a document that explicitly states "you can read my email" but instead contains a fine version of "all your bases, off lunch hours, belongs to us?
  • Hushmail ! (Score:1, Interesting)

    by Ray Alloc (835739) on Tuesday June 07, 2005 @10:29PM (#12754163)
    For that reason, site like Hushmail [hushmail.com] allow a SSL-secured web-based confidential mail.
  • Oblig. Simpsons (Score:1, Interesting)

    by Anonymous Coward on Tuesday June 07, 2005 @10:30PM (#12754174)
    Eh, it'll be us who is doing the monitoring anyway.

    I, for one, welcome our new IT-geek overlords.
  • by Average_Joe_Sixpack (534373) on Tuesday June 07, 2005 @10:32PM (#12754190)
    For example if I include the name of one of my company's products plus "bug"/"flaw"/"crash" then I can expect a follow-up scolding from HR. (I found this out the hard way) Course that's cake compared to the other spying and practices that go on.
  • by Anonymous Coward on Tuesday June 07, 2005 @10:39PM (#12754240)
    IANAA, however I've been negotiating my own employment contracts for years. I carve out broad exceptions for any work I do offsite, without their equipment, and not under their direct orders. I also include a phrase exempting any pre-existing intellectual property. I also usually strike any anti-whistleblower clauses. So far, none of these changes have ever stopped my employment.

    As I recall, the right to privacy applies only when and where one has a reasonable expectation of privacy. If you're in your employer's facility, on their equipment, using software licensed to them and interacting with servers owned by them; you've no more expectation of privacy than you do on a CB channel. Their ability to check your e-mail is roughly analogous to the rules that enable you to record phone calls in your own home if you inform the person who calls that they are being recorded (rule varies from State to State).
  • by Adrilla (830520) * on Tuesday June 07, 2005 @10:53PM (#12754347) Homepage
    Probably because nowadays, more than ever, work life and home life tend to overlap, and so do your business and personal contacts. It's simply easier (maybe not smarter) to just maintain one main email account and since you have to use the work email for work contacts, it's simpler to use that account as your crossover account. Also, most people have nothing to hide from their employers, and others simply take the warning that their email will be read as an idle threat.
  • by Anonymous Coward on Tuesday June 07, 2005 @11:06PM (#12754435)
    "As with most draconian Big Brother initiatives this one won't work. What's to stop employees from just logging into a private webmail account over HTTPS and sending information out that way?"

    I got a better question. Are all you trying to slip corporate information out the door, and why? This really is much ado about nothing. Same with them listening in on your phone converstations. And NO, you have little to no expectation of privacy, constitution or not while at work.
  • Lucent / ATT does it (Score:3, Interesting)

    by jpostel (114922) on Tuesday June 07, 2005 @11:08PM (#12754453) Homepage Journal
    Or at least they used to. I worked at Bell Labs in 1997 and one of my co-workers was escorted out of the building by security. He was discussing one of his projects with someone that he went to grad school with via email. It's not like he was selling info to a rival company, but he broke is confidentiality agreement and they fired him.

    What's funny about this is that I told him they recorded every keystroke on the UNIX boxes (no one used Windows except for Word and Excel) and that they had a visible and hidden copy of the log file so they could compare. They probably had a third, but I only found the first two.

    In today's companies, I find it amusing that they would claim to hire people to sift through outgoing email. My company won't hire people to train internal staff to do their jobs. Instead they pay people to correct the mistakes. It's a joke.

    I've had to read peoples' emails when HR asks for emails related to a specific topic (usually legal), and I can tell you it's like washing someone else's laundry: it's voyueristic at first, but after a while, it's just dirty laundry.
  • by Deagol (323173) on Tuesday June 07, 2005 @11:14PM (#12754502) Homepage
    Anyone really clever enough to cause serious damage from the inside can do better than email. Besides, draconian measures like this are ultimately self-defeating in the end. If you treat your employees with disrespect and distrust, the employee reciprocates with equal disloyalty.

    I once worked at a small software firm (50 emplyees) and we "merged" with a larger one. What was once an open workplace of mutual respect quickly became one location of seemingly untrusted drones. The new corporate office demanded a firewall, so they could watch what we visited. They snooped people's Exchange folders. Etc.

    It had never occured to me to betray my employer. But when they started treating us as untrustworthy, my fellow admins and I came up with all manner of methods to thwart the security measuress. It helped, of course, that we were privy to those measures, which we were sure to disclose to fellow workers who had no idea.

    And you'd better be *really* thorough with that Acceptable Use Policy. :) Sure, you can watch what I visit on the web, but it may only *seem* innocuous. One user on the inside may be sending weird HTTP requests to a legit-looking site. But in reality, those requests are lines of an ASCII armoured PGP file (properly URL-encoded, of course).

    I don't care if it's the company email server, on company time, yadda-yadda-yadda. And I don't care if the ream of paper I signed to put food on the table gives them the right to records phone calls, archive email, and takes ownership of portions of my brain -- 'cause they *all* do it these days. It's not outright collusion, but the end result is pretty much the same.

    If the company expects me to interrupt home/private time for their beneift, they'd better damned well respect my privacy on the job, because there's little time to tend to personal affairs requiring 9-to-5 services otherwise.

    "That badge don't make you right."

  • by hrieke (126185) on Tuesday June 07, 2005 @11:16PM (#12754515) Homepage
    There is a company here in Boston called IMLogic which builds systems for logging IM conversations for regualtory reasons (Brokerage firms, Health Care companies, etc).

    So, yes, companies are reading that too.
  • by Anonymous Coward on Tuesday June 07, 2005 @11:21PM (#12754538)
    There is good news: Hewlett-Packard has their own internal Jabber servers and require SSL connections from their clients. So internal traffic is pretty secure. Other IM clients are "unsupported" and non-encypted IM clients are forbidden, though I have never seen this enforced.

    On a similair vein, HP has also outlawed 802.11b other than their own official, secured, VPN-required system, and cordless phones and headsets are not allowed either (though certain Plantronics headsets that do some form of scrambling or encryption are allowed on a case-by-case basis).

    Posting AC do I don't get fired for leaking corporate secrets... but they do seem to have a clue about security, and are not too draconian in their efforts to keep their secrets safe.
  • by AHumbleOpinion (546848) on Tuesday June 07, 2005 @11:33PM (#12754616) Homepage
    Also, when you say email is company property, I understand the technical principle that the bits and bytes are on the company owned servers but it's still a form of communication and people should have the right to a little privacy.

    A company may record all emails for legal reasons. They may be compelled to turn them over to a court or some regulatory agency. The use of personal email could be viewed by a hostile plantiff, court, or agency as circumvention of data retention in order to hide misconduct or other illegal activities. Things are far more complicated than you suggest. If you want privacy don't use company computers and resources.
  • by AHumbleOpinion (546848) on Tuesday June 07, 2005 @11:38PM (#12754638) Homepage
    Hellooooo encryption. *nods head*

    Hello reprimand or unemployment. *shakes head*

    Yeah, make sure look like the person leaking company info or products, draw attention to yourself as someone who needs more surveilance.
  • by Barlo_Mung_42 (411228) on Tuesday June 07, 2005 @11:38PM (#12754641) Homepage
    Why would anyone work at a place like that?
    A paycheck isn't worth it and I'm not being glib. If my boss started reading all of my email I'd walk.

  • by Joel from Sydney (828208) on Tuesday June 07, 2005 @11:46PM (#12754684)
    Here in the state of New South Wales, our workplace surveillance laws have just been amended to specifically address this issue. By law, employers are now forbidden from carrying out covert surveillance of their employees, whether by email, phone, video camera, or anything else. They need a court order and a reasonable suspicion of wrongdoing before an employee can be monitored. See the following report from AAP (Australian Associated Press).

    NSW: Employers to risk charges for spying on worker's emails
    Wednesday, 04 May, 2005
    Content provided to you by AAP


    SYDNEY, May 4 AAP - Employers who read workers' private emails may soon risk criminal charges with legal safeguards being introduced today by the NSW government.

    NSW will be the first Australian state to outlaw unauthorised spying of employees using technologies including video cameras, email and tracking devices with the introduction of the Workplace Surveillance Bill 2005 to state parliament today.

    The new laws will make it a criminal offence to take part in any form of covert surveillance unless an employer can prove they had reasonable suspicion of wrong doing by an employee.

    "While some employers argue that this is necessary to protect their legitimate interests, employees expect that their private correspondence, like their private telephone calls or private conversations, should never be the subject of secret monitoring," NSW Attorney General Bob Debus said in a statement today.

    "We don't tolerate employers unlawfully placing cameras in change rooms and toilets. "Likewise, we should not tolerate unscrupulous employers snooping into the private emails of workers."

    The new laws will strike a balance between an employee's right to privacy and the legitimate needs of employers to protect their intellectual and commercial property, he said.

    "Unless employers have a court order, they would need to give employees notice that surveillance will be conducted," Mr Debus said.
  • Re:Well (Score:1, Interesting)

    by Anonymous Coward on Tuesday June 07, 2005 @11:58PM (#12754745)
    what seems to be missed (at least in the few comments I've read) is that many employees (of the not so computer savy variety) don't understand the insecurity of email and will cough up company info without realizing that they are sharing it with pretty much anyone who wants it. It's also not supposed to be perfect - it's just supposed to create another safeguard, and if your company does government work and deals with classified info it is possible to leak information by mentioning different random "harmless" facts which add up to something not so harmless. Preventing this is well worth the salaries of the employees paid to do the checking.
  • by shodson (179450) on Wednesday June 08, 2005 @12:07AM (#12754790) Homepage
    I keep seeing posts on Craigs List in the "Gigs" sections titled "Get paid to read email" but they are usually deleted by the time I read the the posts through my RSS feed. Maybe this is what these are all about: companies can outsource their email reading to an overseas Asian country, that'll really keep security nice and tight!
  • Re:one word for you (Score:2, Interesting)

    by ancientt (569920) <ancientt@yahoo.com> on Wednesday June 08, 2005 @12:29AM (#12754874) Homepage Journal
    I respectfully disagree. I work in a financial related industry and if one of our employees sends out credit card numbers then they should be stopped. There is no way to ensure that they do not, except by monitoring. I therefore assume everything I type and everything I send is subject to screening. I'd be surprised if they don't have a hardware based keylog (http://www.thinkgeek.com/gadgets/electronic/5a05/ [thinkgeek.com] for example) and I'd be surprised if they don't have some sort of content capture installed on every workstation that has access to sensitive information.

    Why do I think they have a right to? Simple, I have to trust them with my personal financial information as does practically anyone who uses a credit card, thus I want them to protect it. That protection is an obligation, not an invasion of my own or anyone else's privacy.

    Furthermore encrypting doesn't necessarily protect your privacy on a work computer.

    Encrypting only stops them from decyphering what was sent, not what was originally created as it was in the process of the creation. With a solid security scheme in place, I expect the system records everything and flags long numbers, curse words and clipboard pastes. I certainly hope it does anyway.

    Bottom line. Don't trust anything to be secure unless you own the box and know how to keep it secure yourself. Even then, assume somebody smarter than you might figure out a way past it and try to keep the damage potential to a minimum just in case.

  • by Slurm (147172) <slashdot@@@derekchiles...net> on Wednesday June 08, 2005 @12:33AM (#12754898)

    The part that amazes me these days is that people bother to send personal email through their work address when perfectly good webmail clients exist (*cough*gmail*cough*). Yes, your employer can probably see that you're surfing Gmail/Hotmail/Yahoo/Home *nix Server. However, your email is not likely to be captured by their system, and remains private.

    So, why do people still use work for private mail?

    At the company I work for, and I imagine others as well, webmail sites are blocked at the proxy server. They want all of the mail to go through one entry/exit point, just like all of the web traffic does. Of course I can think of about five ways to circumvent this, but the vast majority of employees will just accept that they are not supposed to use webmail.

    Personally, since it's their internal network and hardware, I don't care if they look at every bit that goes in and out of my (work) desktop. I have nothing to hide, and if I have some sort of sensitive private communication to make, I can wait until I get home or go outside and use my cell phone. I don't see the problem here.

  • by FLEB (312391) on Wednesday June 08, 2005 @12:45AM (#12754940) Homepage Journal
    As would a challenge/response sort of calculated password on your personal webmail/SSH login.

    Username/Password/PIN plus 8392, divided by 2, rounded down, and offset one key up (with wraparound) on the numeric keypad. The parameters of which are calculated differently for every login attempt, of course.
  • by Horrortaxi (803536) on Wednesday June 08, 2005 @12:46AM (#12754948)
    Can anyone with legal experience enlighten me on this one? Do the bastards have the right to do so, provided that one doesn't sign a document that explicitly states "you can read my email" but instead contains a fine version of "all your bases, off lunch hours, belongs to us?

    I've never gotten the "sign here to allow the company to read your email" letter before, but over and over I've gotten the one that says "I understand that there is absolutely no guarantee of privacy when using company computers/networks. Company computers/networks are to be used only for company business. Personal use of company computers/networks is grounds for dismissal." I don't work for a Fortune 500 company, I work for a school district. What kind of trade secrets am I going to leak? 2+2=4? No Child Left Behind is a bad idea? But as anti-big brother as I am I think this is perfectly reasonable. While you're at work they own your ass--and they own the computer and they own the network. They have the right to do whatever they want with their property.

    I was actually a juror on a wrongful termination case about a year ago. The plaintiff said she was fired because she was pregnant, but the defense was ready with all her personal emails she sent from work. Hundreds of them! Racist jokes, bullying/humiliation of coworkers, invitations to happy hour, bids sent to competing vendors (oops!), booking vacations, getting mortgage rate quotes, etc. Then they whipped out the "I understand that my email is not private at work and I can't use it for personal business and if I do I can be fired" document signed by the plaintiff and it was all over. This small company had actually fired a few people for email abuse already.

    They pay you to work. If you send out the occasional personal email they probably won't give you static about it. But if you send so much personal email that they wonder when you have time to work there will be problems. There really shouldn't be any outrage about it.
  • by fishbowl (7759) on Wednesday June 08, 2005 @12:55AM (#12754990)
    > This INCLUDES monitoring outgoing e-mail.

    What steps do you take to ensure that the monitoring itself does not constitute a violation of the confidentiality provisions of the law? You are adding eyes to confidential material when you do this. It occurs to me that when you take information that had been between a health care practitioner and the patient, and you insert "4 programmers, a network admin, 2 help desk people, a production operator, 3 business analyst and a manager" in between them, you have violated the very spirit of the idea that the communication was supposed to be confidential!

    What kind of bonding or licensing do you require for the IT staff?
  • by fishbowl (7759) on Wednesday June 08, 2005 @03:01AM (#12755426)
    "The SEC also gets rather in a huff if traders are not closely monitored for violations of sections 16 and 20 of the Securities Exchange Act"

    I've only been in a situation one time where this applied to me, with any degree of risk. Early in 1986 while working for Haynes & Boone, I knew about the takeover bid for Safeway. This wasn't revealed to the general stockholders/employees until the next quarter -- when they started receiving litigation documents and tender offers and stuff like that, that we were already preparing.

    At the time, I didn't have any money or even much of an idea what could be done with this kind of information, but it was certainly made very clear to me that it would be a Very Bad Thing to discuss the minimal information I had with anyone outside the firm, or to do any trading based on the information. I'm sure at the time, just the idea that I could lose that shiddy job was enough to keep me honest. The only thing I was really aware of, was that I was part of the process of making a whole lot of people lose their jobs, and asking them to sell their stock at rock bottom price (or risk holding it to zero, I suppose). I remember it didn't bother me at the time, because I perceived these people as being in a higher class than I was in, what with their good jobs and having enough money to buy things like stock in a company. Hell, they probably owned late model cars, lived in houses, that sort of high-falutin' lifestyle. Here I was with a college degree working for a bunch of Texas assholes, not even making enough money to meet my modest expenses. In other words, I was in exactly the kind of position that, had I known how to do it, I could have been pushed into the sort of rebellious mode where I might have taken advantage of this. I mean, I can tell you for a fact that same year, I drove drunk, discharged a firearm inside the city limits, smoked marijuana, and jaywalked (on the way to the courthouse to pay a traffic ticket, I got a ticket for jaywalking!) So the slippery slope theory practically *required* me to do some securities fraud, right? Well, I didn't have any idea about that sort of thing, and I didn't exactly have a whole lot of money anyway. So I guess it's a good thing... Jeez, I just remembered, that was the same year I applied to the police department (I was desperate), and they almost took me! Holy cow.

    That Michael J. Fox movie wasn't out yet, or "Wall Street" with the Sheens, but I must admit, after seeing that movie I fantasized about getting rich through questionable means :-)

    (If my employer is reading this, I have since rehabilitated myself and can categorically assure you that I entertain no such notions, nor would I act upon them, were I in a position to do so.)

    (If you worked for Safeway in 1986, I'm really sorry. I was too much of a punkass to recognize a human face on that paperwork.)

  • by jeanluc.bonnafoux (611600) on Wednesday June 08, 2005 @03:05AM (#12755442)
    In France, the situation is the following: A corporation can anly read emails concerning business. The emails sent from a corporate email account but concerning private matter can not be read. The problem is: how can companies know if an email is a business or a private one ? AFAIK, in France, we often are asked to put a special word (eg: private or personnal) in the title in order to avoid scanning.
  • by ArsenneLupin (766289) on Wednesday June 08, 2005 @03:44AM (#12755562)
    There are SSL interceptors (proxies) available. The way they work is that the proxy negotiates one session with the browser (using its own key for server) and another one with the web server (using its own key for client). In a normal setting, such a proxy would be detectable, because the proxy would have no way of producing a correctly signed server certificate.

    However, in a company setting, this is no problem, as the company can easily set up its own certification authority, and install the CA certificate in all its employee's browsers as part of the standard installation procedure.

  • by Sique (173459) on Wednesday June 08, 2005 @04:44AM (#12755735) Homepage
    You are describing something called a "man in the middle attack". Easiest way to defeat this one: Download the certificate at home and take this one with you to the company and install it there. If the company has an SSL interceptor, it will surely ring the alarm bells.
    It will also ring the alarm bells if the certificate you downloaded at home is tainted by the home ISP's SSL interceptor though. But at least you know that one of your points of entry into the internet is 0wn3d.
  • by xQx (5744) on Wednesday June 08, 2005 @05:01AM (#12755782)
    Being the sysadmin at a small company, I am the person who actually ends up reading people's email; and being a small company, the person who has to face the person who's email I just read.

    The arguement is simple and well covered, the company owns the computer, your email, and anything you do on company time.

    The only grey areas are 'does the company have the right to go through email you deleted', and 'does the company own something you did using company resources in your own time.'

    I mix personal email with company email; as do many others...

    I say openly to other employees "Yes, I can read your email. Yes, it's not private. Yes, we own it. BUT, The company and I don't care what you and your friends talk about and what you do on the weekend." If you're not trading secrets, resumes or bagging the company, even if we do read your email, we don't CARE.

    If you're worried about privacy in a 1000+ employee company, remember this:

    You're just not that important. :)
  • by RebRachman (144344) <rebecca@ga n g l y s i s t e r .com> on Wednesday June 08, 2005 @05:42AM (#12755868) Homepage
    This is absolutely the number one security breach today, actually, and it's internal as external. Oh, you don't have access to that directory on the company's intranet? well, let me just email that document to you...

    Companies do need to protect themselves. There's some very interesting development in that area, in fact. http://www.vidius.com/ [vidius.com]

  • by ajs (35943) <ajs@nOsPam.ajs.com> on Wednesday June 08, 2005 @07:20AM (#12756122) Homepage Journal
    "Remember that signature on that thick paper you've signed prior getting that high paid tech job?"

    Yep. I also recall that you can't waive your rights in a contract. Sadly, privacy isn't an actual right in the US. :-(

    Unless your company blocks outgoing ports, you can always just run your own mail server at home, and communicate with it via SMTP/TLS. I do this and I also don't use my ISP's relays except for those few destinations that refuse to talk to a "residential" mail server. That way, any destination systems that speak SMTP/TLS will get my mail without anyone who would archive or read my mail getting an unencrypted copy other than the target system.
  • Even funnier (Score:5, Interesting)

    by YrWrstNtmr (564987) on Wednesday June 08, 2005 @08:25AM (#12756323)
    How many people take their work laptop home every day? Company doesn't want you to leave it on the desk...too easy to get stolen. So they get taken home every day.

    Company secrets leaking out through email? Hell. 80GB walking out, as per company rules, in my backpack every single day.

  • by snero3 (610114) on Wednesday June 08, 2005 @09:22AM (#12756645) Homepage

    I used to work for a university in the MBA school. In order to get the best possible professors for our students we had to allow them to do consulting for large companies on the Uni's time as we couldn't afford to pay them what the going market rate was. This practice was regulated in that they could only spend 30% of their time consulting and they couldn't use any of the schools recourses (IE letter heads, websites, secretaries etc..). Now on the face of it this worked well for both parties as we got the best from industry plus the profs got the salary they had come accustom to. However, as human nature would have it, the profs got greedy and started abusing their position and students started to take notice that the very expensive course they had just paid for was suffering. So as IT we were charged with implementing all sorts of monitoring to gather evidence of these facts to weed out bad apples, otherwise the school would go bust and 100's of people would lose their job. The loss of privacy I can live with, the loss of a single mum's job because of a greed fat man I can't. If faced with that decision again, I would make the same choice in a heart beat.

    There is also another good reason for this which is not entirely related to sensitive information leaving the company via company email and that is the sexual harasment/bulling. It is necessary to monitor email to limit this kind of activity before it blows up in your face. We recently did a audit of email boxes and found that 60% stored what would be considered (by law in Australia) as a offensive amount of porn that the company could be and would be held laibale for. What was worst was massive internal/external mail groups that were being sent to. I have no problem with porn (of the legal kind) just view it and send it on your own time. No one likes to see you spanking it at your desk!

  • by chammel (19734) on Wednesday June 08, 2005 @10:23AM (#12757251)
    This a virus and worm vector we block as many webmail services as we can find plus some content scanning to discover webmail sites.

    Prior to 3 years ago our organization has had 2 worm outbreaks in 1 year both of them have been because of webmain clients. After putting into place webmail blocking we have had no virus or worms in the last 3 years.

Nothing is more admirable than the fortitude with which millionaires tolerate the disadvantages of their wealth. -- Nero Wolfe

Working...