Forgot your password?
typodupeerror
Privacy Businesses Communications Security IT

US Firms Read Employee E-mail On a Massive Scale 263

Posted by timothy
from the this-call-may-be-monitored dept.
An anonymous reader writes "In its fifth annual study of outbound e-mail and data loss prevention issues, Proofpoint found that 41% of the largest companies surveyed (those with 20,000 or more employees) reported that they employ staff to read or otherwise analyze the contents of outbound e-mail. 22% of these companies said they employ staff primarily or exclusively for this purpose."
This discussion has been archived. No new comments can be posted.

US Firms Read Employee E-mail On a Massive Scale

Comments Filter:
  • Secure your email (Score:1, Informative)

    by Anonymous Coward on Thursday May 22, 2008 @09:16AM (#23504044)
    Mac OS X [joar.com] and Windows [marknoble.com]
  • by PC and Sony Fanboy (1248258) on Thursday May 22, 2008 @09:20AM (#23504104) Journal
    I had a boss who told us when we started that everything we did at work would be monitored.

    I didn't realize the extent of their monitoring! In the contract, it simply said 'all available facilities will be used to monitor employees while working'. I figured they'd check my email once in a while. They read emails, login/logout times, tracked employee positions (cameras in the office! A friend of mine was fired for taking breaks, when he went into his 'final' meeting, they showed him a time lapsed video of himself!) and recorded phone calls.

    All this would come up only when they had a problem with your work - If you produced results, they didn't care what you did otherwise, but if you weren't getting sales, they found some other reason why you were doing poorly...

    I spent 2 weeks skipping breaks and working through lunch trying to get a big (BIG!) contract and I was asked by my manager to do try to get this contract. I spent the rest of my time trying to make some money in the meantime... and I was brought into the office one day and they presented me with the emails I'd sent to my wife during those two weeks and told me that I was wasting company time. I told them they needed to look at the cameras to see I never left my desk, and to check the phone tapes for the last week to see that I was working hard. Turns out they only saved the conversations for a day or two...

    I never got 'disciplined' for poor results after that.
  • Why is this news? (Score:1, Informative)

    by Anonymous Coward on Thursday May 22, 2008 @09:27AM (#23504184)
    This happens everywhere. Part of my duties at a Fortune 500 company was to restore old mail files from a few years back for numerous employees on a periodic basis. The auditors supposedly claimed it was part of SOX, and to prevent insider trading secrets and what-not.

    I don't miss those days calling back tapes all the time. Smaller, private companies are so much better to work for. More common sense practices and less red tape B.S.
  • How many have to? (Score:5, Informative)

    by Anonymous Coward on Thursday May 22, 2008 @09:33AM (#23504250)
    What they didn't mention in this is how many of the companies with more thank 20,000 are legally *required* to monitor e-mail. In the financial services sector it is very common to have dedicated staff to perform this function. I would have loved to have seen that number but I can understand why they didn't include it in the interest of cramming a few more ads on that page.....
  • by farrellj (563) * on Thursday May 22, 2008 @09:46AM (#23504416) Homepage Journal
    Some countries, like Canada, treat email like paper mail, and you need a court order to read an employee's email. If you can't trust someone, don't employ them!

    ttyl
              Farrell
  • Re:How many have to? (Score:5, Informative)

    by JPLemme (106723) on Thursday May 22, 2008 @09:49AM (#23504440)
    For licensed brokers, the SEC requires that a certain percentage (~33%) of all outgoing emails be monitored. I supported the system used at a large financial services firm for just this task, and the people who had to read these emails weren't doing it because they enjoyed invading other people's privacy. Their biggest wish was a spam-filterish tool that would remove all the personal emails so they would only have to read the emails that were pertinent to the business.

    Of course the brokers knew that was the case when they were hired. You can't argue with the SEC.

    I know that there is bad, privacy-invading snooping going on in some firms, but when I see statistics like "41%" I want to know how many were doing it because they had to vs how many were just being creeps.
  • by Anonymous Coward on Thursday May 22, 2008 @09:49AM (#23504442)
    Our company has had to set up some email filtering and archiving. Why?

    A receptionist for our company was fired for sending out bulk pornographic email, including video. He has done it for months. He's suing us, because he claims he was fired because he is gay. We only have a few of those emails that he send on backup because our backup only goes so far, will it be enough to not have to pay him big bucks and rehire him?

    An accountant was fired for gross incompetance. She fouled up our main systems, needed her password reset with the Feds at $100 a pop several times a month, etc. Finally, she comes in and demands to work 30 hours but still get 40 hours pay. She was fired after a public tantrum. She is suing us, because she is black and claims racial discrimination. We need a LOT of documentation to back up our claims that she wasn't a good employee, because she can just say we don't have enough black people, and that can be considered proof of discrimination by itself.

    We are heavily regulated about customer information. If someone emails out another persons personal information outside the company, and it makes the news, we all suffer. We have to monitor for that too.

    We have to take preventative measures to block bad language from coming in and going out. We can get sued because an employee called a customer a f*cker in an email, or because someone saw a dirty joke on someone else's screen (sexual harassment).

    Laws were written up to protect the "little guy", so now we have to prove to government agencies that we have made accurate hiring and firing decisions. We have to support our claims, and take preventive action, because there are so many ways that we can get screwed by employees I can't even count them.

    This week we had to let someone go because they came up short by $750. We had two people dedicated to figuring out what happened for two days. We spent a lot on money and time, and we are looking forward to the inevitable lawsuit. We have email to back it all up, and because of procedures we have in place, the emails are professional and straightforward, instead of causal and possibly derogatory. It took us a while to get here, but yes, this is what you asked for. By increasing our risk through lawsuits and regulatory compliance, we have to manage that risk by monitoring our employees.

    Go swear to your friends at home.

  • by murraj2 (987249) on Thursday May 22, 2008 @10:31AM (#23505022)
    This really depends on the company you work for. Many companies block all e-mailing, or in some industries such as Banking, it's mandated by law.

    The key thing is to get your work done and don't send stupid shit like the Paris Hilton video via e-mail. Most companies accept e-mail as a communication tool, and don't have a problem with you sending an e-mail that says "I'm working til 6, let's meet at 6:30 at XYZ restaurant for dinner." What they're monitoring is inter-office relationships, confidential information or other things that will become a problem for a company and will result in your firing.

    The main thing to ask yourself when you send an e-mail is "Is there anything in this e-mail I'd be embarassed about or nervous about if my boss read it?"
  • by Anonymous Coward on Thursday May 22, 2008 @10:36AM (#23505104)
    I work for a large (300,000+ mailboxes) company in the financial industry. I happen to work in the electronic communications group as a systems architect and my specific area of expertise is the design and implementation of systems that monitor email and IM conversations of employees. At a high level there are two major reasons we have systems in place that monitor these types of communications:

    1) Because my company is a SEC & NASD registered company we are *required* by law to both actively monitor (in some instances we stop emails mid stream and hold them in a queue until a reviewer approves them) and archive all email/IMs of all employees who carry a license with those organizations. To not do so would be considered criminal activity and we would incur huge fines (hundreds of millions of dollars). We've been fined before; those fines were creatively structured to require that we invest XXX millions of dollars into systems that allow us to meet the requirements. A very basic example of the type of thing we monitor for are indications of insider trading. More than one broker has been let go after being caught trading unethically.

    2) The second major reason we monitor electronic communications is to limit the liability of the company by halting the distribution (usually unintended) of non-public information... also known as NPI. A basic example of the types of things we monitor for are things that impact the financial well being of our customers (both people and business customers) such as account numbers, SSNs, passwords, insider company information, etc. Everyone who works at my company is subject to this second type of monitoring.

    Naturally having these systems in place opens those who are being monitored to having their communications scrutinized for other types of violations... namely violations of corporate policy. i.e. use of profanity or other behavior deemed inappropriate and not considered behavior that is acceptable as representative of the corporation's image. We do actively scan for these types of issues, but generally just file the information away in case it triggers a customer complaint or is identified as repetitive and needs to be addressed by a person's manager.

    I don't want to discuss the products we're using today because that is proprietary information, but I can tell you without a shadow of a doubt what direction the monitoring industry is going. There are already a handful of companies who can actively monitor data using a common set of rules/policies at ever layer of the infrastructure. There's a company called Orchestria, for example and who we have been talking to recently, who through a centralized policy engine can monitor literally everything you do on your computer through agents installed on the desktop, agents installed on IM gateways, agents installed on mail servers, agents installed on proxy servers and a border agent appliance that ideally sits in the DMZ that will perform packet level scanning and can block literally anything that it can read from those packets... going as far as to block encrypted data or brute force hack encrypted data on the fly and hold it in queue until it is scanned.

    Scary right?

    It depends on who you are I guess. As a technical person and admitted nerd I think that's cool as hell. It's the conspiracy theorist in me who is scared.
  • by stonetony (464331) on Thursday May 22, 2008 @10:56AM (#23505458)
    Your argument completely ignores the fact that both the healthcare and financial industries have government oversight that requires that companies actively monitor emails. Not monitoring messages in those sectors isn't even an option on the table. If they don't do it the government fines them.
  • Re:Secure your email (Score:4, Informative)

    by MacDork (560499) on Thursday May 22, 2008 @11:29AM (#23505944) Journal

    Using the proggies you linked to also tends to stick up like a sore thumb in any workstation app auditing.

    Did you even read the links? You aren't loading an executable of any kind. Those are instructions for placing a S/Mime certificate in the correct place so the "proggies" you use already can find and use them. The same can be done with Lotus or any other decent email client produced in the last 5 years or so.

    Frankly, if you're doing any sort of business at all, and you AREN'T using encryption... you're an fool. Economic espionage [bbc.co.uk] can wipe out your business.

  • Re:Get back to work! (Score:4, Informative)

    by Lumpy (12016) on Thursday May 22, 2008 @11:43AM (#23506260) Homepage
    Yup I grabbed driftnet and modified the code to also display the IP address. Fairly trivial
  • by Anonymous Coward on Thursday May 22, 2008 @12:28PM (#23506950)

    Some countries, like Canada, treat email like paper mail, and you need a court order to read an employee's email.
    WTF? Being in Canada and having worked at companies that actively monitor e-mail , I can say this is false.

    I know of one company that actually reads EVERY e-mail, granted they are small. The large majority monitor for keywords and patterns.

    Just my CAD$.02
  • Re:Get back to work! (Score:3, Informative)

    by Lumpy (12016) on Thursday May 22, 2008 @01:05PM (#23507554) Homepage
    Nothing. It's a 100 base hub connecting a 3mbit internet connection and had only 3 devices connected. Switch,router, my sniffer. with such low bandwidth for internet nothing changed.
  • by linuxbert (78156) on Thursday May 22, 2008 @01:09PM (#23507612) Homepage Journal
    Not true.
    Email is treated like paper mail, however if it is addressed to the company, then they own it. and can read/open and redirect as they see fit.
    The company, or anyone cant read your personal mail, but if it has the companies address on it, it is addressed to them, so they can.
  • Re:Get back to work! (Score:4, Informative)

    by tyrione (134248) on Thursday May 22, 2008 @01:44PM (#23508256) Homepage

    Yup. I stopped "special" surfing at the office when I put a linux box on a hub between the network internet router and the switches. I simply sniffed all traffic for image files and displayed it on a 42" LCD out in the sales area. Images were displayed of what people were surfing. I also attached the ip address of the user to the image. It stopped inappropriate internet surfing in that office in 3 days. When everyone can wee what you are doing, you get back to real work.

    Yet, I don't know who has managed to slit my tires consistently for the past 3 years since I started this approach. Also, since I never get asked to company socials I've got more free time to think of even more creative ways to piss off my fellow staff members.

    Of course this all could be solved if we worked in a business that required actually creating/inventing products instead of managing peoples services.

  • by rsborg (111459) on Thursday May 22, 2008 @02:22PM (#23508852) Homepage

    All of this makes me wonder if anyone has ever heard of SSH!
    You forget that some of us work where all ports aside from 80,443 and a few others are blocked. Blocking port 22 is a very good idea for the paranoid (read: cautious) sysadmin, as these days botnets zombies are starting to use secured comms.
  • by AHumbleOpinion (546848) on Thursday May 22, 2008 @04:08PM (#23510496) Homepage
    I hope you can explain how someone can get (realistically) sued because their employee surfed porn. I'm dying of curiosity here.

    You have obviously never had any corporate sexual harassment training. ;-) Things visible to coworkers or visitors, even "tame" bikini calendars, can create a "hostile workplace". It is largely a judgment call by the "victim". If he/she says they were uncomfortable, made a report to management, and management failed to take action the company can be sued and more importantly may in fact lose.

"The Amiga is the only personal computer where you can run a multitasking operating system and get realtime performance, out of the box." -- Peter da Silva

Working...