Forgot your password?
typodupeerror
Privacy Businesses Communications Security IT

US Firms Read Employee E-mail On a Massive Scale 263

Posted by timothy
from the this-call-may-be-monitored dept.
An anonymous reader writes "In its fifth annual study of outbound e-mail and data loss prevention issues, Proofpoint found that 41% of the largest companies surveyed (those with 20,000 or more employees) reported that they employ staff to read or otherwise analyze the contents of outbound e-mail. 22% of these companies said they employ staff primarily or exclusively for this purpose."
This discussion has been archived. No new comments can be posted.

US Firms Read Employee E-mail On a Massive Scale

Comments Filter:
  • by Lord Grey (463613) * on Thursday May 22, 2008 @09:16AM (#23504042)
    From ProofPoint's products page [proofpoint.com]:

    Proofpoint's unified email security and data loss prevention solutions provide complete protection against both inbound and outbound messaging threats. Learn more by exploring the Proofpoint Platforms and Modular Defenses links, below. Proofpoint solutions:
    • Defend against inbound threats such as spam, viruses and denial-of-service attacks
    • Prevent leaks of confidential or private information with robust, easy-to-use data loss prevention features
    • Encrypt sensitive information, based on customizable email security policies
    • Analyze messaging infrastructures and implement data loss prevention policies immediately
    • Are available in multiple deployment platforms including hardware appliances, anti-spam virtual appliances, software and on-demand service

    It may be just me, but I get really suspicious when a company in any business sponsors a survey and then uses the results to justify their own existence.
  • by Reality Master 201 (578873) on Thursday May 22, 2008 @09:17AM (#23504052) Journal
    Particularly for the Slashdot crowd? Hell, a portion of the readership is probably responsible for helping to implement such measures.

    Don't use your work email for personal stuff. It was never a good idea, and it's becoming ever less of a good idea. Don't say anything in an email that you wouldn't say in person or in writing. Be professional.

    Also, don't forward chain letters, don't send around forwards of kitten pictures, pr0n, jokes, political screeds, etc. etc. Most people don't want to get it and you're wasting bandwidth.
  • Your rights? (Score:3, Insightful)

    by qoncept (599709) on Thursday May 22, 2008 @09:18AM (#23504066) Homepage
    I hope people realize this is evidence of how reasonable it is for a company do monitor your e-mail rather than acting like they are being violated. You can't chat online with babes all day.
  • by hyperz69 (1226464) on Thursday May 22, 2008 @09:22AM (#23504122)
    It's that really big Company, AMERI CO. the one I have a lifetime contract with. When they check my emails, thats where I draw the line.
  • by Otter (3800) on Thursday May 22, 2008 @09:23AM (#23504126) Journal
    ...staff to read or otherwise analyze...

    I would imagine that that breaks down to 100% running scanners against email and maybe looking at flagged messages and 0% routine reading of email.

    Given the tedium of slogging through just my own email, you couldn't pay me to spend all day doing that for other people.

  • by schnikies79 (788746) on Thursday May 22, 2008 @09:23AM (#23504136)
    problem solved.

    wow, talk about a non-issue.
  • by Reality Master 201 (578873) on Thursday May 22, 2008 @09:25AM (#23504160) Journal
    And how long did you stay there? If it was more than 2 weeks past however long it took to find another job, you're a sucker. No offense, but that's some super-duper bullshit treatment.
  • by Dreadneck (982170) on Thursday May 22, 2008 @09:30AM (#23504226)
    Of course companies are going to monitor information being sent out over their internet connections. They would be crazy not to. Want privacy? Email on your own time and your own dime.
  • by maxume (22995) on Thursday May 22, 2008 @09:31AM (#23504228)
    The shadiest thing they could possibly do is to monitor your email and not disclose it.

    If they are disclosing that they monitor your use of their resources, you can choose if you are willing to put up with it or not.
  • by thermian (1267986) on Thursday May 22, 2008 @09:37AM (#23504302)
    having seen the amount of crap that gets sent around work email when it's not monitored, I can see the purpose of checking the email of employees.
    Personal emails should only ever be sent from personal email accounts. That's just common sense.

    After all, how dumb is it to put personal information into a system that is likely to see it archived for years in a system you are unlikely to have any control over.

    Work email should be just for that, work. Just saying that won't work though, people, especially people who use computers, act with some kind of weird collective stupidity at times that can cause even the most sensible people to do and say things they would never do otherwise.

    Better to monitor and make sure everyone follows the rules then have an email from your company showing up on the Internet saying something you would never condone.

    Before any 'ooh, I've read 1984 so I am an expert on surveillance societies' morons chip in, I'm talking about the cold hard reality of business here. One wrong word can send stock prices through the floor.
  • Re:Your rights? (Score:5, Insightful)

    by Hankapobe (1290722) on Thursday May 22, 2008 @09:38AM (#23504304)

    I hope people realize this is evidence of how reasonable it is for a company do monitor your e-mail rather than acting like they are being violated. You can't chat online with babes all day.

    I agree with you. Also, it doesn't even have to be like that.

    I see it like writing a letter and using company letterhead - only it's a domain for email. Your correspondence can imply that it's part of the business of the company you're sending it from. Now, I know someone is going to write, "So, if I send an email from my Yahoo! mail account it implies that I'm doing Yahoo! business?!"

    No. That's not what I'm saying. If I'm at my place of employment and send an email to someone that may be inflammatory, offensive, threatening, or whatever, someone can come back and say, "Hey, what's this? Someone at XYZ Inc. is threatening folks?!?"

  • by stuporglue (1167677) on Thursday May 22, 2008 @09:42AM (#23504364) Homepage
    At work it's ok to chat with friends, in moderation, as long at the work gets done.

    Even with that policy though, when I chat with my wife or friends when I'm at work, I use Off The Record to encrypt my conversations.

    It helps that my wife and brother Adium which already had it installed, and that I use a Linux at work which has packages in the repository.

    And when I do send emails from work it's from Gmail, and always with https.

    I figure that the work email is for work stuff, and they can monitor their business stuff all they want. For my personal stuff, it's personal and I'm not going to give them the chance.
  • by Penguinisto (415985) on Thursday May 22, 2008 @09:49AM (#23504444) Journal
    Trust me - if the email admins noticed you, Joe Low-Level Employee, shuffling encrypted emails back and forth, you'd be frog-marched out of the corp faster than you can say "WTF?"

    Small companies? One admin who does email in addition to everything else. Mid-sized companies? There's prolly one, maybe two dedicated admins, and they're more interested in using your emails as a means to track SMTP problems than in reading what's in 'em.

    Large corps? Heh - you're just begging for attention if you start flinging around abnormal-looking SMTP traffic; esp. in really big companies that get a touch paranoid about such things as corporate espionage.

    You'd be better off risking the attention of the proxy-minders with webmail than by dicking around with encryption on your email client. Using the proggies you linked to also tends to stick up like a sore thumb in any workstation app auditing... and you could conceivably get fired faster for loading unauthorized software onto your corp-issued equipment than a quickie email to your girlfriend describing in graphic detail at what you want to do to her when you get home.

    Besides, most email admins have better things to do than grep emails (e.g. battle spam, figure out and fix bounces from remote mis-configured servers, curse at Verizon's RFP-non-compliant configs, keep enough inodes handy in /var, pound the load averages down to something sane, beg the powers-that-be for decent equipment, etc).

    Unless your corp specifically has good reason to be ultra-anal about security (e.g. gov't contractors, Microsoft/Intel/IBM-sized corps, etc), then monitoring user emails with anything beyond simple log and traffic grepping tools is a waste of resources and time. Any company that spends more time watching their employees than their customers is a company that isn't long for the world these days.

    /P

  • by BVis (267028) on Thursday May 22, 2008 @09:55AM (#23504526)
    What makes you think the next place will be any better? So long as this sort of thing is legal/unregulated, you can assume every employer will do this in the name of productivity/competitiveness/because they can. If you're lucky you'll find a company that understands how treating your employees like human beings until it's proven that they're causing a problem is better than automatically assuming everyone is a lazy lying scumbag.

    I also have to point out that the people who do actual work are the ones impacted by this sort of bullshit. Executives don't get disciplined/fired for sending a three-line email to their spouses unless one of the other executives wants them gone for some reason.
  • by drsmithy (35869) <drsmithy@@@gmail...com> on Thursday May 22, 2008 @09:56AM (#23504554)

    Large corps? Heh - you're just begging for attention if you start flinging around abnormal-looking SMTP traffic; esp. in really big companies that get a touch paranoid about such things as corporate espionage.

    There is an implied point here that deserves highlighting.

    The people who are employed specifically to analyse outgoing mail, aren't looking for you emailing your girlfriend during working hours, forwarding chain letters, or calling your boss names. They're looking for the folks whose "inappropriate" mail will cost the company big $$$$ - corporate espionage, sexual harassment, etc.

    Most people will never be in position to be monitored thus, because they'll just never be "important" enough.

  • Overzealous much? (Score:2, Insightful)

    by sjbe (173966) on Thursday May 22, 2008 @10:02AM (#23504622)

    I was brought into the office one day and they presented me with the emails I'd sent to my wife during those two weeks and told me that I was wasting company time.
    Wow. I'm note sure whether to be impressed at your restraint or appalled. I would have walked out right that second and never looked back, consequences be damned. I'm a little touchy about not working for assholes however.

    Any company that feels the need to monitor their employees that closely without a really compelling need is not going to last long. (I define compelling need as something on the order of national security, building weapons systems, guarding highly valuable financial assets, or similar activities) If they can't ask you for results and trust you to go get them, that isn't a working relationship that is going to be productive.
  • by sjbe (173966) on Thursday May 22, 2008 @10:10AM (#23504748)

    What makes you think the next place will be any better?
    Might not be but neither I nor anyone I know works for a company *that* intrusive. Seriously, why would anyone put up with that unless your employer was the Marine Corps? I don't have a problem with companies wanting work resources to be used for work. Heck I've insisted on it in companies I owned. But there has to be a standard of reasonableness.

    I always told my employees that as long as they got their work done with good quality and on time, we would get along just fine. If they abused that trust they might get a warning but only once. And you know what? It worked. I've had very little turnover and high morale and my employees really worked hard. Sending a few innocuous emails to a significant other doesn't qualify as a breach of trust. Looking at porn in the workplace would be a firing offense. It's really all about what is reasonable.
  • by bball99 (232214) on Thursday May 22, 2008 @10:25AM (#23504956)
    reading the posts here definitely reminds me of numerous scenes from the 1985 movie, Brazil...

  • Re:Your rights? (Score:4, Insightful)

    by Belial6 (794905) on Thursday May 22, 2008 @10:33AM (#23505052)
    That is the first good excuse I have heard for monitoring company email. Of course, if the company doesn't have a similar policy about use of company letterhead, then the reason doesn't fly. My problem with these things is that different rules are applied when its "on a computer".

    The company can solve this problem by making sure that it doesn't block web mail sites. After all, the problem is the domain name right?
  • by Abcd1234 (188840) on Thursday May 22, 2008 @10:36AM (#23505112) Homepage
    That's only true in a non-competitive labour market. Any high-skill area where there is a reasonable level of competition, people will simply move to another company where they'll get treated better.

    What does this mean for employees? Develop expertise. If your skills are in reasonably high demand, and you can't be easily replaced, the power weighs heavily on the side of the employee.
  • by sjbe (173966) on Thursday May 22, 2008 @10:41AM (#23505214)

    Because the employer/employee relationship isn't equitable. It boils down to "We have money, you don't. We make the rules, if you don't like them, no money for you."
    You are familiar with the term "at will employment"? You do realize that the terms of many/most jobs are significantly negotiable? You do realize that there are a huge number of companies out there and you can choose which one to work for? It's not nearly so unbalanced as it might appear at first glance.

    The employer/employee relationship is not equitable only if you let it be that way. They need something done and are offering you compensation to do it. That's a fair trade. If the company is not offering fair compensation in reasonable working conditions then don't take the job. Yes, sometimes you'll run into some assclown running the show. Move on as soon as circumstances allow. It's a big world and life is too short to spend it working for jerks.
  • by TheSpoom (715771) * <{ten.00mrebu} {ta} {todhsals}> on Thursday May 22, 2008 @10:51AM (#23505378) Homepage Journal
    And I'd totally have left to go to an office that cares about productivity and not how or when their developers are working.

    Also, Tor and/or encryption.
  • by Hoi Polloi (522990) on Thursday May 22, 2008 @10:57AM (#23505476) Journal
    Maybe you need to focus on tightening your hiring process.
  • by Anonymous Coward on Thursday May 22, 2008 @11:05AM (#23505564)
    What I still don't get is why things like web surfing etc. are necessarily always seen as bad by companies. I mean... sure, if you're a grunt who gets paid to mop floors or so, your employer won't want you to do anything else on company time; but if you're an engineer, a programmer, a designer or so, someone who's paid to THINK, then it really should be obvious that keeping you happy and motivated is the way to go.

    And that's doubly true given that you can't force people to be creative - if they're burnt out, they're burnt out, end of story. It's better to allow them to recharge and relax a bit than it is to drive them on with the (metaphorical) whip - you're not going to get anywhere, anyway.

    Ever wonder why Google is so successful? Here's a hint: corporate culture and motivation.
  • by Anonymous Coward on Thursday May 22, 2008 @11:06AM (#23505568)
    Well, the companies keep telling us "don't expect a job for life" and now we don't, they realise that means looking for a new (better) job is a long-term continual process and NOW they don't like it.
  • by King_TJ (85913) on Thursday May 22, 2008 @11:19AM (#23505798) Journal
    I work in a smaller business (one of those shops where I'm the only only doing both the email administration and pretty much all the other computer-related stuff). What I tend to see is employees *receiving* non work-related material, not so much SENDING it.

    Some employees don't even have a home computer with Internet access, so all their friends start sending their "funny photos", jokes, and so forth to the only contact address they can find for the person - the work email.

    You *could* "blacklist" those people from sending you things, but come on! These are the employee's friends or relatives. They really don't want to block everything they might send them, because sometimes it's relevant or useful.
  • by King_TJ (85913) on Thursday May 22, 2008 @11:37AM (#23506134) Journal
    I agree with much of what you're saying. But I'd also point out that email *filtering* and *archiving* are two vastly different things.

    It seems to me that practically all of the issues you're bringing up could be handled successfully by retaining good email backups, going back for a reasonable length of time?

    Our company doesn't do anything special in the way of attempting to read employee's emails or filter their content. But we DO have backup systems that dump copies of all the mailboxes onto nightly backups, and we keep a couple alternating "month end" tapes, plus a "year end" tape that's archived away.

    This way, if something actually comes up, there's a decent amount of supporting email evidence that can be retrieved for that specific situation.

    Otherwise, employees have a general expectation that nobody's monitoring their daily email correspondence in a "big brother" fashion.
  • by AHumbleOpinion (546848) on Thursday May 22, 2008 @12:06PM (#23506628) Homepage
    What I still don't get is why things like web surfing etc. are necessarily always seen as bad by companies.

    Note that the original poster wrote 'I stopped "special" surfing at the office'. There is a pretty high probability that this is referring to porn. Tolerating employees visiting porn sites is one way a company can get sued. Of course while the solution described in this article is cool and amusing, it is probably another way to get a company sued.

    Ever wonder why Google is so successful? ...

    Inertia mostly. They had a brilliant idea a while ago and have refined it since then to maintain competitiveness. Google has done many cool things since then but they are mostly a drain on success or neutral, some mild successes, but no big successes outside the original domain. Also, it is doubtful Google allows employees to browse porn sites either. With their deep pockets their fears regarding law suits are going to be pretty high.

    ... Here's a hint: corporate culture and motivation

    Clue: "Law of Small Numbers", http://en.wikipedia.org/wiki/Hasty_generalization [wikipedia.org]. :-) Google pretty much has a dot bomb culture. I think the spectacular success of one instance of a dot bomb culture is distracting you from the many failures. It is premature to say that Google's success is due to anything beyond a brilliant idea at the right time combined with rich angel investors. Their initial success and its continued dividends allows them to afford many inefficiencies, perhaps many elements of their cultures fit into this area. Keep in mind that success can hide inefficiency and that the true causes of success are sometimes erroneously attributed.

    Now at least one element of Google culture, allowing employees the time to work on pet projects that many benefit the company, may have a proven track record. 3M allowed this for decades and many useful products emerged. Google may follow 3M's lead, but it is a little early to pass judgement.
  • by Rycross (836649) on Thursday May 22, 2008 @12:13PM (#23506764)
    You'd be surprised. Some contractors did something like this at my company in order to use IM software and read external email. They were quickly found out by our admins, and told to knock it off or they would get terminated. And this is a very big company.
  • by 77Punker (673758) <spencr04@nOsPAm.highpoint.edu> on Thursday May 22, 2008 @12:44PM (#23507210)
    All of this makes me wonder if anyone has ever heard of SSH! Whenever I'm away from home, I just SSH into my own computer with X forwarding enabled. Bam! I can do just about anything I do at home on another computer and my tracks are pretty much covered.
  • by stonetony (464331) on Thursday May 22, 2008 @12:58PM (#23507432)
    HTTPS is not protection against an intelligent network appliance. I know this because my company employs an appliance that sits in stream that identifies the originating HTTPS connection and intercepts the key that is supposed to be passed back to the client. Instead what happens is the network app creates a bogus key that it passes back to the client and maintains the encrypted relationship with the target website directly. What the client gets back is NOT the encryption from the website... it's spoofed encryption. That allows the appliance to read everything it wants that is being communicated between the two points.

    The concept of network security is about as effective as the concept of airport security.
  • by Livius (318358) on Thursday May 22, 2008 @01:15PM (#23507726)
    Correspondence from your work e-mail is no different from paper mail on company letterhead. The company owns what has its name on it and what's composed on company time.

    But some companies might be better off putting that kind of effort into quality control on the *products* they send out, rather than correspondence.
  • by element-o.p. (939033) on Thursday May 22, 2008 @02:17PM (#23508768) Homepage
    You are choosing to be a victim. Don't get me wrong -- I'm not blaming you. I was in a similar position once. However, I learned from that experience, and I will never be bullied by an employer again. Ever.

    In that job, the owner was easily the most arrogant, foul-mouthed jerk I have ever met in my life, with the possible exception of his father, who showed up around the office from time to time. During my tenure there, I watched at least two other employees get fired because the owner found out they were looking for other jobs -- "if you don't want to work here, I don't want you working here," was his reasoning -- and three employees get fired for other reasons. That may not seem like much, until you realize that there were never more than 12 people working at this company at any one time.

    When I finally moved on to greener pastures, I realized how much I had narrowed my own options while working there, and how much happier I was once I was employed somewhere else.

    Trust me -- if you have any marketable skills at all, you can and will find another job. It might get a little tight for a while, but no job is worth the stress of such a crappy working environment.
  • by wanax (46819) on Thursday May 22, 2008 @03:03PM (#23509486)
    If somebody sues for sexual harassment, etc, porn surfing in the office would be used as red flag evidence that the company tolerated or facilitated a hostile work environment for women.

"A mind is a terrible thing to have leaking out your ears." -- The League of Sadistic Telepaths

Working...