Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy

Protecting Your Company While Protecting Privacy? 184

gmhowell asks: "After reading this story on Slashdot, it seems to me that I haven't heard of a good proposal from employees regarding their e-mail/browsing privacy compared to the demands that a company avoid lawsuits. I manage a small business and am well aware of how bizarre the EEOC and others can get when it comes to sexual harassment, racial quotas, etc. For example, if a delivery person flirts with a secretary too much, is it UPS who has created the hostile workplace? Nope. It's my company. Similarly, the company can and will be held liable for any e-mail sent that ends in '@familyhealthcarepa.com'. So we really should be monitoring all e-mail, both internal and external. However, most of our employees are trustworthy, hardworking, and not interested in using our system to create mischief and I really don't want to turn into 'Big Brother'."

"Sure, I'll block a URL here or there but spot checking e-mail? How long until some smartass comes up with a .sig containing all of my keywords?

In general, people are going to be more productive if they take their five minute break at their terminal browsing than screwing around by the coffee machine. Along the same venue, I am not interested in tracking 'abuse' (such as hitting eBay, checking the sports scores, etc.) If someone is using that much time that it interferes with their job, I'll be speaking with them regarding their dereliction of duties in general, and not speaking to them about Internet usage in particular.

So, again, I pose the question: what sort of policy and procedures will protect the privacy of employees' surfing and e-mail, while still protecting my company from liability?"

This discussion has been archived. No new comments can be posted.

Protecting Your Company While Protecting Privacy?

Comments Filter:
  • by Anonymous Coward
    Will have a clause against use by lawyers. Its only fair, they seem to like doing the same to us.
  • by Anonymous Coward
    That's crap. There are no "private moments" at work. People, this is WORK. If it was FUN they'd call it that.

    Tell employees to limit their e-mail to a standard comparable to their telephone calls. Too many personal calls/e-mails is a bad thing. How many is "too many" is a matter of judgement on the part of the employee AND the management involved.

    If it's not work, save it until you get home.

    Now, get back to work you lazy bastards. ;>

  • IANAL, and I am looking at this mostly from an employee perspective. some of the ideas suggested either won't work or will cause too much collateral damage.

    1. Block outgoing mail? That might be acceptable at some companies, but at most it would cause productivity to nosedive. If you'd rather your employees spend 3 hours playing telephone tag than 5 minutes composing an email, cool.

    2. Issue 2 email addresses? An insignificant increase in the time that it takes to read your mail, so it doesn't cost much. But if you say something that gets the company sued, I'm fairly confident that the company will still be on the hook.

    3. Filtering software? "It's OK, honey, I've had a vasectomy. The check's in the mail. User friendly. You're the only cutomer that ever complained." Yeah, maybe one day we'll have filtering software that does what it's supposed to, supported by a company with no hidden agenda, but in the meantime I'm keeping it well away from any machine I control.

    I like the idea of bringing the employees into the loop before deciding on policy. Given some of the lunatic decisions on what constitutes harrasment, e.g., Sports Illustrated, I suspect that companies really do need to monitor in order to protect themselves. But if they start putting video cameras in the lavatories, I might sue.

    BTW, I find it ironic that with some of the dunderheaded decisions that innocent behaviors are harrasment, it can be extremely difficult to collect in cases of genuine harrasment.
  • by Anonymous Coward
    If it's not work, save it until you get home.

    Hey, no problem. Of course, we'll be leaving for home one nanosecond after the clock says we can leave.

    Oh, you wanted more than 40 hours per week of work out of us? Then start paying us for it, you greedy skinflints.

  • Where I work most of the remote users change positions often enough that they have userids like cn_ast2 (Property CN, Assistant 2), and they still plenty of personal mail.
  • by Analog ( 564 ) on Wednesday August 30, 2000 @08:27AM (#815597)
    Bingo.

    The law has determined that you need to be held responsible for the actions of any individual who works for you, which requires draconian privacy invasion in order to protect yourself.

    So do it.

    However, make sure your employees know why you're doing it. Tell them you have no interest in their activities, but must monitor them in order to avoid very expensive lawsuits. Then give them a list of phone numbers and addresses, and let them know if the liability can be changed, so will your policy. You'd be surprised at how many otherwise disinterested people will take an active role in politics (if only by making sure to vote or writing their congressman every so often) when you bring it home to them how these laws affect them on a day to day basis.

    A good way to get them motivated would be to explain that most of these laws are created from the standpoint that employees are pretty much considered to be 'company property', and have no inherent privileges or rights; only those granted by the employer (which is why companies can be held liable for any activities which employees engage in, even sometimes outside business hours).

    Do a good job of informing your workforce, and they'll think twice about voting for that yo-yo who says he's only trying to "protect the children".

  • Non-work-related email can be handled through home accounts, POP3 to an employee's ISP's mail server, web mail, or what-have-you.

    This is a much better way to do things. I don't like sending private emails to anyone from my company account anyway. I use a shell account to manage my private mail. It's only draconian if people aren't given an alternative.
  • Most people don't need email access at work.

    Huh? I'd say this depends very heavily on where you work. About 95% of the people in my office have to communicate directly with the clients they're working for. This solution would not work at all.

  • I am a lawyer, but this is not legal advice. if you need legal advice, consult an attorney licensed in y our jurisdiction.

    I assume you mean the fifth, but it doesn't matter: it is about governments. It *does not* apply to individuals. It also does not apply in civil cases--your refusal to testify in a civil case *can* be held against you.

    hawk,esq.
  • I get what you're driving at with your second point, but what about the times when someone is responsible and it's not a case of someone trying to make a quick buck? I say we need should start something along the lines of damage mitigation with immediate disclosure and remedy attempts, though. Possibly punative damages can't result from when a company has publically and effectively acknowledged a defect. Immediate effects (like hospital bills, etc) can be sued to recover, but not punative damages.

    --
    Ben Kosse
  • by jd ( 1658 ) <imipak AT yahoo DOT com> on Wednesday August 30, 2000 @09:16AM (#815602) Homepage Journal
    Here are some thoughts on how to make a workplace sane, given the current lawsuit-happy environment and the problems of abuse, vulnerability, etc:

    • Have "Safe Rooms". These rooms are officially =outside= the company, have a different IP address and domain name, have a different phone number, and are essentially "safe havens" for which the company can legitamately deny any responsibility.
    • Make available to ALL employees copies of:
      • The Verbally Abusive Relationship
      • The Road Less Travelled
      • Healing The Shame That Binds You
      • AA's "Big Book"
      • AA's 12 & 12
      • People of the Lie
    • Provide personal alarms to all employees, with the understanding that it's not "being weak" to use it.

    (I'm sure there are other excellent books, too, those are just the ones I can think of which help people to figure out where they want to draw their limits, to recognise warning signs, and to work out any issues of their own, without the company needing to get involved.)

    IMHO, this is exactly the same fight that mill workers had with mill owners, at the start of the Industrial Revolution, and has exactly the same answer as Robert Owen determined. An educated and sane workforce works better than a hurting and hurt one.

  • Seeing as everywhere I've worked has clearly stated that they can examine my email, etc because it's on their systems etc... I've stopped using it for personal stuff. With free services like Yahoo that have a web interface, there really is no need to use company services for personal stuff. I don't know if such an approach shifts responsibilty from a company when there is abuse... I'm just more concerned with my own privacy.
  • How much do You trust your Boss?

    Point being is that a LOT of companies are already using these tools and that majority of them do this with no intent to spy on their employees. But there have been many cases in the news about employees being fired for their "browsing" habits by various companies. Which only means that some companies ARE spying on their employees. And that boils down to how much do you trust your company?

    Ex-Nt-User
  • Personally, I don't think so. All it is saying, if you are running a side business, don't do it at your main job. Don't make them pay your expenses and your time for that side job.

    Don't use company resources for the sole betterment of your own enterprises. It's common sense to me. Your addition makes it a little clearer though.

    Annoyingly, IANAL either.
  • Unfortunately, putting something on the Internet is being legally interpreted as "publishing" - and this applies to e-mail as well. (much e-mail ends up forwarded and put on e-mail list archives, etc)

    That a conversation can be recorded doesn't mean it automatically is.

    Do you have a responsibility, as a business owner, to see what you are "publishing"?

    Unfortunately, the answer seems to be "yes".


    You're beginning to touch upon why business is starting to fight for effective instant messaging.

    But, people don't resent an "open" solution if they know it's there. Nobody minds a camera posted over their head if it's obvious, especially if they can SEE what's being/has been recorded.

    Your grasp of reality fails here. Several unions have been known for "accidentally" destroying biometric readers because they didn't even want their *fingerprints* recorded, let alone their words, thoughts, and actions.

    Look up the wars, incidentally, regarding audio recordings on security videos.

    --Dan

  • by Effugas ( 2378 ) on Wednesday August 30, 2000 @09:18AM (#815607) Homepage
    Stop.

    This presumption that all emails can and should be logged comes from the presumption that emails are equivalent to official memos from the corporation.

    They're not, and shame on anyone who would argue differently.

    The fact that harassing comments may be spoken at the water cooler does not obligate the company to install an audio recorder at that cooler. The fact that harassing comments often are spoken over telephone lines assuredly does not obligate a company to record all calls made to and from the office building. The fact that E-Mail can occasionally lead to harassing comments as well does not obligate the company to violate the privacy of its workers.

    Now, given an active suspicion(usually brought upon by an aggrieved party commenting to his or her manager), it's justified ethically to verify the charge by watching traffic in a limited manner. We wouldn't want someone to lose their job without their sins being proven.

    But to say that employers are mandated by government to spy on everything their workers do obscures the fact that the government itself is mandated a privacy violation infrastructure be built into every single workplace in the name of "protecting us from ourselves."

    Yours Truly,

    Dan Kaminsky
    DoxPara Research
    http://www.doxpara.com
  • IANAL. Postulate that some employee committs an offensive action and the company is sued. I go to court and prove that I took all reasonable precautions to prevent the employee from carrying out an offensive action. Am I still liable? Maybe. Does my insurance cover it? Probably. Is my insurance company happy? Not entirely, but they have no real complaint since I took all reasonable precautions.

    You can't eliminate risk. You thus work to mitigate it as much as possible.

    Thanks

    Bruce

  • The company should not be forced to be your phone company or your internet provider. If you could only speak through the workplace, it would be different.

    Bruce

  • by Bruce Perens ( 3872 ) <bruce@perens.com> on Wednesday August 30, 2000 @10:43AM (#815610) Homepage Journal
    It's not meant to be a non-compete, but I see your point. The particular situation that came up is that we found a really good deal that essentially nobody knew about, that got worse if more businesses participated. One of the employees wanted to take advantage of the deal for his own business in a way that would sour it for us. So, I asked him not to do that, and he agreed not to. But you are right that it should not read as a conventional employee non-compete, and I will fix that.

    Thanks

    Bruce

  • It's OK to use this text under the GNU Documentation License. I plan to put the whole handbook out as free software when I have time.

    Bruce

    Systems Use and Privacy

    In order to facilitate communications and business operations, the Company uses a number of devices, objects and systems. This includes but is not limited to mail, e-mail, telephones, desks, common areas, cabinets, files, computers, networks, passwords, voice mail, etc. Access can be made by the company to any or all of these items or systems at any time. Employees should not assume that contents of messages are confidential and will be only reviewed by the employee.

    The Company does not guarantee the security of the Company's systems, computers or telephones. If you need to communicate in a secure fashion, do it outside of Company buildings and without using any Company equipment or facilities. We employ technical experts who are able to read your computer data and tap your phone.

    Members of the executive staff, the employee's supervisor, or another employee at the direction of a member of the executive staff, may access, monitor and act on any message or communication or data in any system at any time and may view and consider and act on the contents of any item provided for use in the normal course of company business.

    None of this, however, conveys authorization for any employee to eavesdrop. The email, files, and other communications of your co-workers are not your business and you are to avoid situations that would expose you to them unnecessarily. "Snooping" is unethical and you are liable to be terminated if you engage in it.

    Our systems are never to be used for pornography, email spam, ethically questionable or unprofessional activities. Internet service is widely available outside of the Company at low cost. Do not consider us to be your "Internet provider": our Internet facilities are only for work. Internet communications that are not part of your job should be carried out using an outside internet provider, a non-Company email address and non-company URLs.

    In a nutshell...this means don't be doing nasty or illegal things in the office or on our networks. Respect the fact that your co-workers have access to information on the network and the computers and they would like to be able to respect you in the morning. The Company reserves the right to inspect information and work environment at any time, with or without notice

    No Personal Businesses On-Site

    It is understandable that many of the Company employees are entrepreneurs and may have one or more companies or separate enterprises, outside of their interest in the Company. It is our desire to nurture and respect the mindset of the entrepreneur. However, under no circumstances shall any employee of the Company run their own company at or through the Company. The use of the Company resources to conduct said business is strictly prohibited. All such enterprises shall be conducted completely off-site and shall not in any way be connected to or interfere with the normal operation of the Company

    It is understood and accepted that occasional phone calls will need to be made or taken with regard to personal business. However, there shall be no routine phone calls. There shall be no connections with your personal enterprises and the Company. You are not authorized to use computers, addresses or other Company property, licenses or identification numbers to conduct your personal enterprise. In addition, you shall not use to the advantage of your personal enterprise any business information acquired on the job, at the Company.

  • If you have to monitor your employees that much, you need new employees.

    I don't pretend I don't screw around during the day (for instance...now), but I think I am entitled. I work faster than average. I implement job-lightening scripts and procedures. My ultimate goal is that I implement a system that merely requires me to be somewhere in town if something goes wrong.

    So, if I'm endlessly reducing my workload (as part of my job), why wouldn't I have time for personal "stuff".

    If, however, I were doing illegal activities, it would be my own issue, and if it became apparent, then I should be terminated.

  • Shouldn't the law be the same regardless of the marital status of the secretary?
  • by gelfling ( 6534 ) on Wednesday August 30, 2000 @08:25AM (#815614) Homepage Journal
    Even if you monitor what are you monitoring for? Who does this protect? While it may afford the company the excuse that they can go after an employee it does not protect the company from anything per se. Moreover if you have an official policy of monitoring AND ALSO filtering then the company is setting itself up to NEVER send out anything that is in violation of the policy. That is, if you claim you are in compliance then you in fact HAVE TO BE in compliance and you may be exposing the company to even more trouble. In this case the liability is clear regardless of who sends out the offending email. Therefore you again have not actually protected the company from anything unless you the email admin can guarantee the process.

    You need to consult an attorney. You may also want to investigate some kind of business insurance to cover litigation and damages that may result.
  • The problem with this is that it places an unnecessary burden on the employer to police and spy on its employees. Come on now. If I write a threatening letter and drop it in my company's outbound mail box is it really the company's fault? Why then should the telephone or email be any different? If I have an illegal website running from my apartment, should my landlady be responsible for that as well? What ever happened to personal responsibility and the idea that we are presumed innocent until proven guilty?

  • It would be great if we could put the onus of responsibility taking care of email on the users, as in the example SEWilco raises. However, email is not currently regulated by the same set of laws. I believe that postal mail is protected from tampering in the U.S. by federal statue, e.g., it's against the law to read postal mail not addressed/delivered to you.

    Why is email treated differently? Email is not handled exclusively by federal employees. Does that mean that Joe User should trust their local postal employees more than their email admins? I suppose that depends on the employees and their email admins, but while immoral and probably subject to civil court, it is not a federal crime to read someone else's email.

    If you don't like it, write your senators, representatives, and everyone else who can affect a legal change.
  • "In addition, you shall not use to the advantage of your personal enterprise any business information acquired on the job, at the Company."

    This could be construed as a non-compete clause. In many states, these are unenforceable. You probably want to amend this to reference "trade secrets" and/or "business practices" instead. You can't tell me that as a web developer if I learn CSS or Javascript on the job I can't use that knowledge elsewhere. The whole point of employment is building your career and aquiring new skills. That statement is contrary to this basic principle of employment, and would be legally unenforceable, if not ethically questionable as well to request.

    Now, using the same analogy, if as a web designer a company I worked for designed a new dynamic backend to deliver for, say, news content, and that backend contained alot of new ideas and features not found elsewhere in the industry and where knowledge of that (if aquired by competitors) would cause material harm to the company, then yes.. such knowledge should be protected. However that should be done in a seperate document and made explicitly clear to employees both at the time of employment, and at periodic intervals afterwords (if it is that important, you should take great pains to ensure everyone knows this - due diligence).

    Yes, I know you don't mean this to be a legal document, but as a policy document for a company, it could be used in legal preceedings, however IANAL.

  • We have the opposite problem here. There's one guy that surfs pr0n sites during the weekend, yet gets lauded in company meetings for putting in long weekend hours. We've provided proof (HTTP sniffer logs) to HR and management about this, and they keep turning a blind eye. Whats our next recourse against this guy?
  • Companies only monitor e-mail for 1 reason, Political Correctness law suits.
    When companies have to pay millions for dirty jokes/etc, we end up in this draconian state that we have now.
    Common sense is no more, so laws are passed to regulate it.

    You may resume your daily illusion.

    -Brook Harty

  • by Christopher Thomas ( 11717 ) on Wednesday August 30, 2000 @07:54AM (#815620)
    If your company is liable for any email originating from it, then a logical solution is to block outgoing email from most users. Give the company a few official contact people who talk to clients directly, and act as go-betweens for other work-related email.

    Non-work-related email can be handled through home accounts, POP3 to an employee's ISP's mail server, web mail, or what-have-you.

    This is draconian, but it does virtually eliminate the problem of liability for outgoing email. Internal email management is left as an exercise to the reader.
  • by afc ( 12569 )
    What we all are waiting for though, are laws that protect the majority of ortography abiding posters from the privileged minority of spelling-challenged ones.

    On an even more pedantic note, I know of no country in the West where women are a "minority", no matter how much the gender gap at your CS classes might tell you otherwise. And to put the icing on the cake, I believe "lewd" speech is as much protected as prayer is.
    --

  • by afc ( 12569 )
    This makes absolutely no sense, I can publish a scientific magazine that uses the word 'fuck' in every other sentence (never mind context :-) and there's no judge or law enforcement authority that will shut me up on grounds of obscenity.

    No matter how much the religious right may have impregnated on people's minds, "free speech" doesn't protect speech against a government one doesn't like particularly, it protects all speech, even the proverbial "fire in crowded theater" cliché (the difference being the legal consequences of said speech).

    Unless we have a large disagreement as to what lewd means (incidentally, it meant "lay, laical" originally) you are way off base here, my friend.
    --

  • Why again do you think you have to record all E-mail? Are you supposed to listen in on all telephone conversation and bug people's offices as well? Who is going to pay for the effort that that kind of monitoring requires?

    I don't think monitoring is feasible. In fact, it may you expose to even more liability because it puts you in the position of being able to discover problems, and the presumption then may be that you knew about a problem but chose to ignore it.

    I'd prohibit any personal use of company E-mail (there is no need for it--web-based mailers provide an excellent alternative), have a clear policy on how employees can get help with problems, and indicate to external recipients of E-mail messages (in a header or signature) who they can contact in case of problems with mail they received. But if it really worries you, why not talk to a lawyer?

  • Explain to your employees what you've said - any mail going out with @mycompany.com exposes the company to liability, etc. Encourage them to keep the company name off personal business. Maybe also as part of your employment contract, make the employee indemnify the company against personal unauthorized actions which expose the company to liability, and explain this in interviews and when the employees start. If you explain to people why you have certain restrictions, and the explanation is reasonable, they're much more likely to comply with them.
  • In the situation I described a self-incriminatory situation. But what if they said that the use of encryption they didn't control was in and of itself wrong? Can you bounce an employee just for sending "hello world" with a private pgp key?
  • by swb ( 14022 ) on Wednesday August 30, 2000 @11:09AM (#815626)
    What about policies regarding the use of strong encryption in the office? For example, what if I do my "off limits" business at work in a completely encrypted fashion, but for whatever the reason the light of suspicion falls on me. If I refuse to reveal my key(s) which can then reveal the evidence against me, should the company be able to fire me because of that?

    In other words, should there be an organizational policy on encryption? Such as something like:

    "Only organizationally issued [and hence escrowed] encryption software and keys may be used to secure communications. All other encryption may be construed as evidence of prohibited behavior." or some other kind of legalese.

    To me this seems more draconian, but at the same time if the stated goal is maintaining comapany control over the computers and the data, I can't see how you could allow an encryption free-for-all without causing problems.

  • When I send a paper letter to you, does your company have people who review every letter which is received or sent?

    Actually, almost all mail that I receive at work (which is very little) is opened by the secretary long before it gets to me. And that's good too, since she usually can recognize junk mail and throw it away before I see it.

    If it's personal (e.g. all those love letters from Morgan Fairchild [ign.com]), it is sent to my home, not my place of employment.


    ---
  • What they need is "work" mail as opposed to personal mail. Perhaps this can be fixed by giving them a boring mail address such as sales05@company.com or support@company.com instead of joeschmoe@company.com. That might help keep other parties from thinking that it's appropriate to use that address for chatting about Joe Schmoe's girlfriend's hemmoroids.


    ---
  • Most people don't need email access at work. Just like most people don't need access to letterhead or a company credit card.

    You'd still be letting them access their personal email from work -- so it's not THAT draconian.

    And they can still communicate via email internally.
  • by wtpooh ( 15154 ) on Wednesday August 30, 2000 @11:53AM (#815630) Homepage Journal
    I have always wondered about the use of email evidence in court - it would be relatively easy for company A to invent nasty email messages from company B, all the way down to A's incoming mail server logs. If company B was not archiving all outgoing mail, it would have no way to prove that those emails were not genuine.

    So, what if the B's mail server logs only a checksum/hash of all outgoing mail? Then B would have evidence that could counteract A's account, but would not need to be intrusive or store huge amounts of email forever. While having each user PGP sign their documents would serve the same purpose (and be more reliable, since it would provide definite proof of a forgery), this system would be much easier to implement on a companywide basis.

  • Keep a copy of all email sent, but make it clear that company policy is not to search it unless there's a complaint of abuse. Hopefully, the consequence would be that the employee realizes there's a record kept of everything they send, and that will make them more responsible.

    I know this sounds a little bit like those stupid voluntary privacy policies that people like doubleClick have. But you're not them. You're a small business concerned about balancing privacy with responsibility. You might be able to handle it.

    Also, I really think that with the number of ways that someone can send and receive email today on the net, use of a company account for personal business is really not a must.
  • If you feel that it is important to protect your company from legal liability by monitoring employee use of systems, then you should make this clear to them. Time after time I hear stories about how some company was secretly monitoring employees and caught them doing something. Rather than treating it as some sort of game where you are trying to "catch" people, just tell them you are watching, how you are doing so, and also explain why.

    ---

  • IANAL, but I have a friend who works for a law firm (That must lend me credence, right?)

    In any event, all of her e-mail which leaves the office has a tag attached to it, identifying it as the sole property, expression and views of the writer. The same sort of disclaimer should be applicable in your case.

  • I find it curious how you in the US differ so much on this subject (privacy) from us in Europe (with the exception of the UK wich is to all purpose a police state).
    Our freedom of speech is not as pronounced as the US version, for example we can not legally promote hate like nazism.
    But we have a lot more protection when it comes to privacy, regardless where we are.
    Only after a company is informed that their systems are being abused can they start to investigate, usually under very strict rules and conditions.
    For example here in Holland the elected employees committee has to approve of the methodes to be used.
    Although the law is not quite clear most people expect the same protection against reading of their E-mail as there is against the unauthorised opening of ordinary mail, WHY NOT?
    When an employer needs the tool of tabs on internet and phone use to assure their employees are puting in their money's worth of work there is something rotten in the system.
    Modern companies set productivity targets and when people are meeting them it's rather unimportant what else they do!
  • What if I use a web interface to something like hotmail to send personal email? Is the company still liable because I've accessed my webmail on a company workstation?
  • Do you believe that the fact that email is more informal means that they require more monitoring? If we applied that policy to phone calls, which are just as informal in nature, then companies should be monitoring every phone call an employee makes in case they, "say something inappropriate."
  • When I send a paper letter to you, does your company have people who review every letter which is received or sent?

    No, I'm certain the paper mail is simply delivered to your desk.

    Not at my company. We are heavily regulated by the goverement, so most paper mail that goes in and out of the compnay is scrutinzed very closely.

    The responsibility with paper mail is with the individuals.

    Why change things for electronic mail?

    Because, unlike paper mail, electronic mail can last forever. It is very easy for me to write a letter by hand, then send it away with instructions to be destroyed by the recepient. The only copy is gone, with no record that it ever existed.

    Email is different. All those bits get backed up on a regualt basis, and then can be used in a court of law. I offer Microsoft as an example of this. What might seem like a personal message, could have significance in a harssment or wrongful termination case.

  • by lythander ( 21981 ) on Wednesday August 30, 2000 @07:59AM (#815638)
    Being in a similar situation, I have also pondered this koan, and believe it truly unsolvable. You want to to only monitor true abuses, not minor nit-picky transgressions, and respect privacy as much as possible.

    Can't be done.

    You need must monitor every email is you're to catch those creating true liability. You must log every page view if you're to catch the porn surfers. If you sample these things, those you catch can accuse you of singling them out. If you smple, you might miss some doosies. And as the filter companies have shown us, these sampling and filtering methods do not work (yet?).

    Perhaps what you need is a modest plan involving user education, a written policy protecting user privacy and agreeing to full disclosure when it must be violated in the course of some investigation, and enough documentation to demonstrate due vigilance wrt these issues in case a suit arises.

    In the end, those who want to bad enough will screw everything useful up for everyone. The trick isn't on preventing it so much as being able to prove that you made every reasonable attempt to prevent it.
  • Why are you looking for a good way to comply with a bad law? The problem is the law--fix it! Yeah, yeah, "I can't afford court fees", etc, etc, etc. Write your congress-critters (federal and state), talk to city/county councils, get your voice out there! These things can be fixed without resort to courts and expensive lawyer fees.

    Better yet, pay attention to current bills being considered. An ounce of prevention....
    --
  • Why not give your employees email adresses in a subdomain? For example: user@private.company.com

    Combined with a note on your webpage, company terms and so on, this could be a legal wrapper against such 'attacks'.
  • >You need to consult an attorney. You may also
    >want to investigate some kind of business insurance to
    >cover litigation and damages that may result.

    Done and done. That wasn't the point of my question. The point is: what is too much to an employee?

    Why not ask my own employees? Not technically savvy enough to give an educated response.

    BTW, part of the problem with the US is that we too often feel that the legal response is the correct one. Sometimes, one has to do what is right, which is what I am attempting to do in this case. As mentioned in an earlier post, blocking all email except for a few is the safest policy from a legal perspective. However, it's also the least kind to employees who have not done anything wrong. I have no desire to throw out the baby with the bathwater.

    As far as being compliant: welcome to the United States. I manage a business with > 50 employees. Therefore, I have to be as compliant with every bit of personnel law as General Motors and Microsoft. Whether or not we claim compliance has nothing to do with it.

    The point of this is not to go after the employee, as you seem to imply. It's to cover my own butt, while not pissing them off.
  • >Why change things for electronic mail?

    You'd have to ask the courts. They are trying (and succeeding) to reinvent the wheel.

    If 2600 had 'merely' printed the code in an issue of their magazine, there would be no case.

  • Not sure why I hadn't considered this before, as it has helped with some other policies we've been forced to introduce. This will receive some consideration.

  • They might be a smartass, but they would be a bright smartass. Someone cognizant enough of their situation to try to change it. That person should quite probably deserve more responsibilities.

    I'm not saying they aren't a malcontent. But how many smart people on /. would do something similar just out of boredom?

  • Nowhere did I imply that gaining millions in a civil suit is either easy or necessarily possible. But in a legal climate where nearly every claim, regardless of its absurdity, is given time in a court, it is impossible to predict what a court will force me to pay to defend. And this is not simply monetary costs. The costs due to a loss of reputation, and the time involved could possibly be devastating.

    As far as having intelligent employees, yes, that is the bulk of our staff. However, when unemployment rates are as low as they are, finding new staff that is competent (and by this, I mean that they can alphabetize) becomes increasingly difficult.

    We have phone policies. We have fax policies. But if you reread the original question, you'll see that the purpose was to garner what seemed to be a reasonable policy regarding the internet and email (not yet implemented in our office for a variety of reasons).

    With few exceptions, I have gotten few, if any, reasonable responses to my question. It is very easy for slashdot to bemoan the practices of companies. Yet when I asked for a policy that takes into account both their needs and those of the employer, the responses seem to be:

    Screw 'em. You gotta cover your own ass.

    -or-

    It's your job, not mine.

    As long as that is the mentality that exists when one tries to get the opinions of /., I'm afraid that it will always be viewed as a fringe group with fringe opinions.

    I must also state that I'm quite dismayed that Mr. Katz has not chimed in. (or at least he hasn't yet been modded up. Perhaps a recheck is in order). Despite his constant protests of the hegemony of the American Corporate Culture, when given a chance to voice constructive criticism, he is nowhere to be seen. Perhaps those who denigrate him are correct. He is a reactionary with little to offer to the conversation.

    But on slashdot, it seems he is not alone.

    (btw, for those who must flame, the mail server is at olg.com)
  • This is probably what we will do in conjunction with some other ideas. The problem is that the company is right around 50 employees. At that point, with the facilities available to us, things start to get difficult to handle. As a matter of fact, most of the problems are due to the fact that we are large enough to need more formal management, but not large enough to afford it:)
  • Done and done. FWIW, my company (at my behest) tried very hard to prevent the UCITA from being passed in Maryland.

    Guess what? Didn't work. Spineless idiots.

    OTOH, remember that this is in response not to written laws but rather to poor interpretations of existing laws by judges. It might have been 'Database Nation', but there was a book I read this summer that talked of the absurdity of the sexual harassment laws/interpretations in particular.

  • I used to work for a state agency (judicial branch), and the entire agency was completely ridiculous about both email and internet access. (No joke, the head of the agency initially did not want us to have email because he thought that meant that people could randomly hack into our Word files and read protected documents.)

    Before we were allowed access, we had to sign two or three pages of disclaimers and such stating that we were aware that we "had no reasonable expectation of privacy" in our email or internet usage, and that the agency could peek into it at any time, with or without cause. It also stated that email and internet access were for work only, and had some language stating that minimal or occassional usage for personal reasons was okay.

    Yes, the policy sounded insane, and most of us were pissed off. Grudgingly, we signed anyway. (Refusal to sign mean no internet access or email, period.)

    To my knowledge there have not been any "issues" involving email or internet usage there (save for a problem with some silly Christmas card program that took up huge amounts of space on the server). The more savvy employees got Yahoo accounts for their personal usage. And for the most part, everyone lived happily ever after.

    If a problem did arise, at least the agency feels protected by the lengthy disclaimers. Obnoxious or not, they would hold up in court.
  • by SEWilco ( 27983 ) on Wednesday August 30, 2000 @07:58AM (#815649) Journal
    When I send a paper letter to you, does your company have people who review every letter which is received or sent?

    No, I'm certain the paper mail is simply delivered to your desk. The same way outgoing paper mail is handled, and interoffice paper mail. The mailroom leaves the responsibility with the individuals involved.

    If you remember your business letter standards, how you sign your letter is also an indication of whether you are speaking for the company or not. The responsibility with paper mail is with the individuals.

    Why change things for electronic mail?

  • (FADE IN to MY OFFICE. I'm THE BOSS, lounging in my leather chair behind my expansive desk. A TECH GUY enters, holding a piece of PAPER.)

    TG: Erm, Mr. Boss, sir, I have that Internet policy you asked for. (Offers PAPER to BOSS.)

    BOSS (inspecting PAPER): It says here that we won't read our employees' e-mail.

    TG: Erm, yes, sir.

    BOSS: So if I suspect that one of my employees is embezzling, or selling our secret formula for Slashdot Cola to my competitors, or tipping off friends about likely changes in our stock price, I can't look at files on the computer that was bought with the stockholders' money to find out?

    TG: Erm, well, sir, I don't want to play Big Brother.

    BOSS: Then go work at the Mickey D's drive-through. You're fired.

    (MY OFFICE, one week later. TECH GUY #2 enters, holding another PAPER.)

    TG2: Erm, Mr. Boss, sir, I have that revised Internet policy you asked for. (Offers PAPER to BOSS.)

    BOSS (inspecting PAPER): It says here that we won't read our employees' e-mail unless we reasonably suspect that they're doing some forbidden thing.

    TG2: Erm, yes, sir.

    BOSS: So if I suspect that one of our employees is embezzling, and I find out that he is embezzling, and I fire him, he can still sue us for breach of contract, alleging that even though he really was embezzling, I didn't have enough information to form a reasonable suspicion that would allow me to look at his e-mail? Which, by the way, is stored on the computer which was bought with the shareholders' money?

    TG2: Erm, well, sir, ...

    BOSS: Thanks so much. You're fired. Have a great day.

    (MY OFFICE, one week later. TECH GUY #3 enters, holding yet another PAPER.)

    TG2: Erm, Mr. Boss, sir, I have that second revised Internet policy you asked for. (Offers PAPER to BOSS.)

    BOSS (inspecting PAPER): It says here that we can read our employees' e-mail for any reason at any time. Won't our employees think that we're playing Big Brother, and be angry and resentful?

    TG3: I'll blather on to them about EEOC guidelines. Besides, all our competitors have the same policy. What choice do our employees have?

    BOSS: You'll go far in this company, Jenkins.

  • In general, you cannot escape legal responsibility for your agent's bad acts by willfully blinding yourself to them.
  • I'm a consultant, and at my current client site, the lawyers have deemed that no email shall live more than 30 days. If it needs to live longer than that (some does, like contracts and product research), then it quite clearly becomes the user who is responsible (and who gets sued), and not the company, for anything that goes wrong from having that old email lying about. There's still ways of copying email outside the system, but POP and IMAP have been disabled on the servers to prevent local copies of email from accumulating.

    Keeping logs doesn't really protect you. All logging does is simplify a post-mortem, and provide a method for digging into someone's past and turning a non-event into something nefarious. If the data isn't collected, you can't turn it over to someone. :-)

    And the user can still send inappropriate email using any form of encryption such as, oh, any non-English language. Seriously. Are you going to spot check the emails written in French? Hindi? Farsi? Obfuscated Perl? How about keyword filtering in those languages?

    About the best you can do is use the same policy you have in place now for phone use. If it gets out of hand, you, or your co-workers will know (or will rat on the guilty). Make Human Resources play the part of bad guy, and have them deal with these personnel issues. Publicize the policy, and have a two infraction limit. First warning, a week without pay. Second warning, you're fired. Zero exceptions (including VP's and CEO's).

    Finally, I'm happy to see that you realize it's not that you're going to get 2,000 hours of perfect work out of an employee per year, but that the value of what they do during a year is greater than what you pay them each year.
  • by RobertGraham ( 28990 ) on Wednesday August 30, 2000 @08:07AM (#815654) Homepage
    You can't avoid lawsuits in America; don't pretend there is a magic pill that will solve your problems. As for monitoring e-mail, there are no good standards yet. You cannot monitor all e-mail, but if an employee comes to you with a harassment complaint, you had better be prepared to start monitoring the offender's e-mail.

    I've documented similar experiences at: http://www.robertgraham.com/pub s/firewall-pr0n.html [robertgraham.com]

  • I'm no lawyer but AFAIK this idea would work:

    Become a "private ISP" of sorts. Charge a nominal, required fee for use of the e-mail system. That way you could use some of the legal prtections ISP's have.
  • I've worked for a few companies, each with different Internet policies. Here's a sample. Numbers correspond to workplaces in each category

    Web:

    1. No Web access without full officer approval (a bank.) Every move you made on the web was logged and tracked, plus "undesirable" sites were blocked out.
    2. Very little logging, but a proxy server filtered out things like Playboy, Dilbert, etc. (huge insurance company.)
    3. Unrestricted web access, very little logging (firewall logs blocked port attempts, etc.) This is in my current gig with a huge worldwide systems company.)
    Email:
    1. Internal email only...no outside access at all (including blocking of Hotmail, etc.) except in certain, tightly restricted departments such as PR, customer service, etc.
    2. Full outside access, but everything was logged and passed through a word/content filter. I've seen many a sneaky sales manager get gently escorted out the door after they found that he was emailing files/kiddie porn/MP3s to his buddies. Very strict policy for if/when you screw up.
    3. No email filtering as far as I know.
    Now, here's what I have always used to govern my personal Internet use at work:
    • Nothing, and I mean nothing, of a personal nature goes through my work e-mail account. My ISP lets me read and send personal mail via the web, so I'm at least not wasting the company's mailqueue space. ;) Besides, if some goof from the outside sends me spam or a "restricted" piece of material, I certainly don't want it coming up to haunt me. Besides, I already get way too much email in my work account. :)
    • As for the web, it's the company's nickel you're using to browse. I try to keep personal browsing to a minimum, but most employers I've seen understand that blocking really isn't the answer. The only thing I'm guilty of overusing (other than reading Slashdot) is downloading stuff like patches and service packs for programs (I have 56K at home...try downloading W2K SP1 over that!!) It's just too dam nconvenient to download, burn to CDRW and take home.
    Now, if I ran the network (at least the external services end...) I would do the following:
    • Email: Most people have an ISP at home, and they can get email through that. If you let users access Hotmail, or send SMTP requests to their ISP, you'll probably cut the mail server traffic by a lot. If you're truly paranoid, append a disclaimer onto the end of the message.
    • Web: Trust your employees. Most are there to work. Some are there to download porn. They'll be found out sooner or later. Rather than actively block sites, if you feel you need to restrict access, make users read and sign an IT policy agreement. That's how Company #2 above deals with web abusers. The policy should state what is allowed and what isn't, clearly and specifically. A signed document is your best defense when kiddie-porn-man sues for wrongful termination.
  • I can't find the link right now, but I also believe that a company has to take appropriate steps to ensure that trade secrets are kept secret, otherwise they can't sue someone for disclosure. This might include the necessity for monitoring email.

    This [incomesdata.co.uk] document has a number of good links related to this story.

  • by interiot ( 50685 ) on Wednesday August 30, 2000 @08:05AM (#815664) Homepage
    This [findarticles.com] is what can happen if you don't monitor your employee's emails. Chevron had to pay $2.2 million to employees because it allowed its internal email system to be used to transmit sexually offensive jokes.

    This [uwaterloo.ca] page lists a few more lawsuits from company liability about email. To limit liability in such cases, they suggest:

    • Have an Explicit Written Email Policy
    • Have an Explicit written email monitoring policy
    • Have a User Education Program
  • The company should not be forced to be your phone company or your internet provider. If you could only speak through the workplace, it would be different.
    Hmm. I can see this with the internet (while things like online banking make this a borderline decision, as most online banking sites are more convenient than phone banking) I can't agree with the phone - most companies accept that *other* companies don't deal outside of business hours, so employees are likely to need to make the occasional personal call to a bank, utility or doctor that would otherwise need them to travel to the place of business or find a payphone. Some provide a small room with a desk and payphone for "private" calls, but the majority just roll in the small cost of these calls as overheads and ignore them (provided they aren't abused of course).
    In fact, a current English law is still pending because in effect, you would require the formal permission of *both* participants in a call not to be committing a crime that carries a jail sentence; they are working on alternative wordings that allow sensible monitoring without allowing anyone but the government a snooper's licence (now that they have one, they are jealous of anyone else getting one)....
    --
  • This just sounds like a defamation lawsuit waiting to happen... IANAL, but anything more than "Bob violated the posted Internet policy" will be challenged by somebody, then the company will need to prove why it released personnel details on a terminated employee

    The fact that you visited www.livenudegoatpr0n.com at work is not a personal detail. It's information that the company can release to anyone it bloody well chooses because the entire transaction took place using company equipment and property and on company time. That means that it wasn't a private act, but a public act within the company. So you can't bitch that your company announced that you were fired because you were filling up the companies hard drive with pr0n.

    Kintanon
  • And it comes out later that they were away from their desk and someone else visited that site from their PC, or someone sets their PC to the victim's IP when the victim's PC is down, or ...
    That is a risk. A possibly expensive risk.



    I don't think you understand how corporations work, they aren't going to just notice hits to pr0n and fire the guy and announce it. They are going to notice the hits, set up some more intrusive monitoring on his machine, and find out everything they need to know to be sure it's who they think it is. Then discuss it with them, and continue monitoring. Corporations are VERY cautious because they don't like wrongful termination suites any more than any other kind of lawsuit.

    Kintanon
  • It depends on your company size.

    Sometimes, in a smaller company with 100 people - it is possible to work closely with the employees to ensure they understand the company standard practices. I have seen cases where in general meetings, the COO has tabled the issue and has asked for a consensus among the employees about how the company as a whole should deal with this issue.

    That is not really practical in a larger context. I work in an information services department with more than 4000 people in a largish corporation. For us, here, (and Im not the person who enforces these policies here) there may not be really any other way out rather than blatant denial/interception.

    Whatever way you choose - it is wise to use understanding and care when dealing with such violations.

  • It's amazing to see the internet usage ramp down for a few weeks!

    Man! I can't imagine being so addicted to pr0n that you just have to get into it at work when the company policies so specifically forbid it (and it's NOT hard for your employer to check). Just seems dumb. I mean, I feel bad enough reading slashdot for an hour at a time, but at least that's not (specifically:) against company policy.

  • Where I work, we need to communicate directly with customers and send them files as attachments, etc.
    Our company has gone the opposite of what you suggest and disabled communication to/from port 25. So we can recieve home email, but can't send.
    Well, that is, most people can't.
  • Can Ford be sued for creating a hostile workplace if someone sees an offensive porn site on a computer that they provided for their employee (in their employee's home?). Is snooping necessary legally to prevent at home porn browsing on company provided computers?
    -----
  • by pangur ( 95072 ) on Wednesday August 30, 2000 @08:18AM (#815689)
    You know, this is your company, your capital, and your ass on the line. If some 'smartass' is going to put keywords into his .sig to annoy you, this same 'smartass' could sabotage you in other ways ("He wants me to make another cup of coffee for him, who does he think I am? I'll show him."). If your employees have an issue with their e-mail being read and their web usage tracked. you can remind them of some facts:

    1) They can have all the e-mail and web surfing at home that they want. Even for free.

    2) You paid for the computers and the internet connection. You get to dictate terms of use. If they want to "represent" the company they need to abide by your rules.

    3) If they screw up and get you sued, you can fire them. You, however, can lose your business. Being the one to put your neck and reputation on the line by starting a business means you take more risks and can get more rewards. Don't let someone take that away from you because they wanted to "show you".

    Overall, if they are adults, they should realize the responsibility that they have to their place of work. If they want to violate your policy and expose you to risk, then someone else can hire them and take the risk. Or, they can become self-employed. Then they can see what it is like to have themselves exposed to risk.

    All my programs have a purpose. This one, for example, takes the contents of RAM and places it in a file called 'core'.

  • Depending on the nature of your company, you might not want to strictly monitor such communications -- but be sure to create guidelines that all who are employed by your company can understand without legal council.

    If suspicion is strong enough, maybe monitoring communications minimally. Many companies do allow (without acknowledging) some personal activities to slip through the cracks, so long as the employee is doing their job. But I don't know about many professions and how easy it might be to get compulsively sidetracked, but I'll bet many companies that don't deal with consumers often don't always promote the most comfortable work environment in the name of saving money!

    Of course i'm wrong, so comment accordingly ;-)


  • by Liza ( 97242 ) <slashdot@NOspAm.jill-liza.us> on Wednesday August 30, 2000 @10:33AM (#815696)
    As a former plaintiff's lawyer for civil rights cases, I sure wish it was as easy to win millions for the victims of harassment as GMHowell seems to think.

    Standard Disclaimer: I am not your lawyer.

    The fact is, if you have a business of more employees than you can count on one hand, you should probably have policies regarding personal use of the phone, Internet, and other office resources.

    This does NOT mean just write them down and stick 'em in a file cabinet. That's how you get in serious trouble with plaintiff's lawyers. What you SHOULD, do is this:

    Tell your employees what kind of behavior you expect of them. Enforce it. Don't tolerate harassment -- sexual or otherwise.

    Your employees are not stupid. You can explain that a flirtatious UPS driver, or even going out for drinks with the office after work, are different from employees making frequent sexual comments about other employees, different from turning a blind eye to employees who send sexually explicit URLs around the office or spend time at work surfing those sites, and different from employees who hit on other employees and give them worse work assignments after being rejected.

    That last thing -- that's where most employers who get nailed in lawsuits really get nailed. People who end an on-the-job romance (or refuse to have one in the first place) shouldn't have to worry that they're going to get lousy assignments, no more promotions, or lose their job as a result. As an employer, you need to see to it that those things don't happen.

  • I sympathize with the question. In terms of laws which regular employers, those pertaining to sexual harassment are some of the worst. I'd tend to suggest an application layer monitor that checks keywords, and completely ignores messages which do not contain them -- carnivore, anyone?

    Really, we need an adjustment of the law. The judicial interpretation of the law has led to some amazing rulings regarding sexual harassment. Not only has it wrongly cost many companies money, time, and employees, but it has trivialized the truly evil sexual harassment which still goes on everywhere. It should always be the case that a company has a chance to rectify a situation after the fact. Any large company should have a contact person in HR who can receive a complaint, and companies should not have liability unless they fail to respond to a complaint. Anyone who can file a lawsuit can surely take a complaint to HR first; otherwise, I'd say they are motivated by greed and/or spite, and not just the desire to have a healthy workplace environment.

    Of course, it won't come as any surprise to slashdot readers that the country is in love with litigation, but the longer I work, the more I witness incidents where the spectre of litigation protects only the wicked, as it were.
  • There's a book about policies you can implement to protect your company... "e-policy"

    http://www.amazon.com/exec/obido s/ASIN/0814479960/ [amazon.com]

    kick some CAD [cadfu.com]
  • Technology is not going to protect you from lawsuits because technology did not cause the lawsuits. Just because it is easier for employees to keep in contact with people from outside the office throughout the day does not mean that your chances of getting sued increase. When it was fax machines and snail mail, wasn't there also still butt-slapping and memo-boards? The situations in which a sexual harrasment or other company damaging claims could occur weren't able to be stopped by technology back then, and they aren't going to be stopped by technology now.

    Some of the solutions were already in your question. (1) Hire dependable, hard-working, trust-worthy people. (2) As your company grows don't let them lose touch with each other or resources for help in case something does happen to them. In other words, get a strong, honest, HR director or department, someone your employees feel is on their side and not the company's. (3) Talk to a good consulting firm that handles HR issues like workplace grievances and see what they recommend (4) and since it will happen someday, get a good team of lawyers.

    The solution to the issue of unwanted lawsuits lies not in controlling outside contact, but strengthening contacts inside the office.

  • In a previous life I was one of the head administrators of a very very large e-mail network for a very very large company. 300+ servers, 60 countries, etc, etc.

    E-mail policy was a huge issue for us. The technical team and the legal team looked at it from several sides. First, thing we thought of was the cost of monitoring e-mail and what problems it may cause. The biggest problem was actually monitoring e-mail caused far more issues than not.

    It was far more likely that we would be sued for terminating someone over an e-mail rather waiting and responding to a complaint about said e-mail. The biggest factor in this was dealing with low level management. Frankly, the low level is there to watch the clock and fill out reports. The probability that a manager making under 30K a year of correctly handling the situation was quite low as well.

    Further more, by opening mail up to be read we risk disclosing information that would break NDA's, and FTC rules. For instance we wouldn't want mail about a merger or sell off to be made public until it was legally correct to do so.

    In the end the mail policy was set up so that monitoring of e-mail would only be allowed in the case where a VP level or higher authorized viewing the mail. Any other complaints we be handled via HR channels.
  • by Dr Caleb ( 121505 ) on Wednesday August 30, 2000 @07:56AM (#815710) Homepage Journal
    They are adults.

    At least they should be considered so.

    My company has a simple policy - pretty much open internet. Some sites throw up red flags and are blocked (such as playboy.com).

    We publish the companies internet usage policy on the intranet home page. No one has the ability to change that home page. They are required to bide by the rules of internet usage.

    If they don't, the rules are simple - termination.

    And we make a big deal out of it. Terminations are not announced (the rumour mill takes care of that...), but when employees are convicted of having soft/hard/child pron on their machines, a letter of explanation goes out from the company president.

    It's amazing to see the internet usage ramp down for a few weeks!

  • by KahunaBurger ( 123991 ) on Wednesday August 30, 2000 @04:35PM (#815711)
    Moreover if you have an official policy of monitoring AND ALSO filtering then the company is setting itself up to NEVER send out anything that is in violation of the policy. That is, if you claim you are in compliance then you in fact HAVE TO BE in compliance and you may be exposing the company to even more trouble.

    Wrong.

    Lets say the magic words again, everyone : "good faith effort" Aside from the (IHMO sexist backlash of) hysterical overreaction to sexual harrassment claims, the reality is very different. You as an employer are not held responsible for everything an employee does. But you are responsible if you condone it, if you have policies which make it easier on the harrassers than the harrassed, if you don't take early complaints seriously, etc. If you have a policy, you tell people where they can complain, and you make a good faith effort to follow up, you do not have a problem.

    Then again, in the real world (outside of the backlash hysteria) a lot of individuals and companies don't have a problem even when they don't do it right. (begin rant)

    Real life example. A lifegaurd for a city pool sued the city because of pervasive sexual harrassment by her supervisor. The city had a sexual harrassment policy and displayed it at city hall, but the employee worked only at the pool and never saw it. When she tried to complain to her supervisors superior they lied/didn't know better and told her that there was nothing that could be done about it. One of the lower courts ruled that even though they had completely failed to do anything useful with it, the city was still protected from the complaint just because of the existance of a formulated policy. (in this case even a bad faith effort is ok, apparently). The case was under appeal when I heard about it, I don't know the final outcome.

    Another real world case for those who think a flirting UPS man will lose them their business. large supermarket chain had a store manager accused of sexual harrassment bordering on attempted assualt. Their solution to the problem was to maintain his "rank" but switch him to another location where no one had heard about his past behavior. There he was given enough athority over a small enough crew that he could one night order everyone home but one woman at lockup time and rape her in his office. When she found out about his prior complaints and the way the chain had responded to them, she sued. On her last appeal, the court ruled that the chain had not acted in negligence, and she had no standing for such a claim. They did say that she could file a workers comp claim, because the "injury" arose out of normal work conditions. Wanna guess which state thinks having a known sexual predator arround is just something the company can't be expected to change? Massachusetts, home of the "liberal, activist" court.

    Now I keep hearing people rant about these overeacting sexual harrassment claims, but I've never actually heard a authenticated, or even first hand report on one. Out in the real world, it looks like the companies can protect themselves just by having a policy, distributing it and sticking with it, harrassers can protect themselves by being "good enough" that their supervisors turn a blind eye or reassign when too many people complain, and the harrassed can protect themselves.... how? I don't know. make a complaint and hope anything useful happens, then go out and listen to your friends complain about the nuetered corportate culture they're imagining.

    Rant over, gotta go to bed.

    -Kahuna Burger

  • I am the mail/network admin for a midsized company. We have limited capital, and therefore limited bandwidth (the big pipes cost big money).

    Because of this and to protect ourselves from the liability mentioned above, we monitor email in a way that we consider to be reasonably fair. All incoming, outgoing and intercompany emails are scanned for a set list of words and phrases (that was an interesting day, keying in all of the offensives words I knew), in addition to being virus scanned, checked for size, etc.

    Incoming mail that throws a lexical violation (contains enough of the words/phrases to red flag it) gets bounced with a polite messge regarding innapropriate business content. Outgoing and intercompany mails which we might be liable for that throw a lexical violation are forwarded directly to the head of HR, who determines if it is necessary to take any action. 9 times out of 10, nothing is done.

    Regarding the web, we catch every single URL that gets keyed in. We do restrict and filter content, more to reduce bandwidth usage than any other reason. On the other hand, as the guy who had to search the logs, I can tell you definately there were people surfing porn. I'm not talking about an occasional glance either, I'm talking an hour long porn fest. The software we use allows us to tailor a surfing policy for different groups of users. Data entry personnel who don't need the internet for business use simply don't have access. My company pays for the pipe. They pay for it so the business can grow, no to provide an ISP to employees.

    As a final note, I saw someone talking about smartasses who put all of the offensive words in there sig. Yes, it's very cute, and it happened to us several times. I've found that after an extended conversation with both HR and th Manager of Information Security they find better uses for their time.

  • by Scot Seese ( 137975 ) on Wednesday August 30, 2000 @08:06AM (#815719)
    Haven't we conclusively proven already that one lawyer can cloud legal judgement, and a committee can completely kill the publicly accepted standard of common sense? You most likely allow your employees to use their break time to telephone a loved one from work; If they are instead using their lunch time to call their ex, whom in this scenario has a restraining order against them, are you laterally responsible for providing the telephone at your workplace?! If an employee puts THEIR stamp on a piece of personal mail, and drops in in the company's outgoing mail chute to save a trip to the post office, are you responsible for it's content? I could only hope that if an employee were using your company email to send or recieve objectionable material, the parties involved in any subsequent legal action would be.. the sender, and the receiver. You are running a company, employing adults, not running a day-care center. If your IS manager came to you and suggested that SOMEONE on the network was sending/receiving an inordinate amount of email, it would warrant a short conversation regarding the limitations of personal usage. What is being discussed here, in abstract, is the problem with the US legal system and society as a whole, that being the Death of Responsibility. It's always someone else's problem, isn't it?
  • "I manage a small business and am well aware of how bizarre the EEOC and others can get when it comes to sexual harassment, racial quotas, etc." The EEOC does not and cannot mandate or enforce anything resembling "racial quotas." Like many aspects of American Law, equal employment opportunity laws state a general principle but are (a) very vague about what constitutes compliance, (b) weak on enforcement mechanisms, and (c) usually allow professional organizations (consultants, personnel departments) to determine what compliance means. Throwing around phrases like "racial quotas" is plain wrong and very misleading.
  • I agree completely. People, try to think of it in small terms first:

    Would you appreciate it if a roommate hopped on your computer and sent harrasing/threatening e-mails out under your name? Probably not.

    Now what if you hire that roommate to write some code for you using your machine. He sends out threatening e-mails using your machine, again under your name, but now he's an employee. It's your computer, does the fact that you've hired him to write code on it give him the right to use it any way he wants?

    Now make it a small business with you hiring two coders, you own all the machines, do they have the right to use them as they please? Scale it all up-- at every level, the person/persons/shareholders who OWN the machines have the right to say what gets done with them. If you don't like it get a machine at home and a dial-up account.
  • by rhombic ( 140326 ) on Wednesday August 30, 2000 @08:03AM (#815725)
    There are a few simple things you can do to cover your end and make employees life easier:

    1) Have a written internet policy. Work it over carefully. And have every employee who gets a internet-connected computer sign that they've read, understand, and agree to abide by the agreement.

    2) Business e-mail is the same thing as letterhead. Employees don't use letterhead for personal correspondance, they shouldn't use business e-mail for personal purposes. Hotmail, yahoo! mail, go mail, there are a hundred free e-mail services out there that work just fine. Simply make policy that the business e-mail is business use only. Period. Help users setup hotmail/yahoo/whatever if they want. Bingo! You have no ethics problems with full logging/reading every e-mail that goes through. There are no personal/privacy issues to deal with. If an employee gets caught using it for personal purposes, there's no reasonable expectation of privacy since you've already stated that it's business only and will be logged.

    3) Make policy on personal web-browsing. Make it clear what is not acceptable. And deal with abusers promptly.

    4) Sexual harassment: this is only a real problem if something is brought to your attention and you fail to act on it. If the delivery guy is being inappropriate, you ought to be on the horn to the local delivery office immediately if not sooner! As soon as you mention "sexual harassment" and "we're discussing this with legal" the guy will be on notice, and if it happens again, he'll be fired. Guarenteed.
  • by ATKeiper ( 141486 ) on Wednesday August 30, 2000 @08:08AM (#815726) Homepage
    We have an archive of related articles on our Personal Security page, here: http://www.tecsoc.org/persec/pers ec.htm#workplace [tecsoc.org]

    - A. Keiper
    The Center for the Study of Technology and Society [tecsoc.org]
    Washington, D.C.

  • I think that 'business information' pretty clearly != 'personal skills'. Business information would include things like the trade secrets and business practices you mentioned (upcoming plans for the business and its customers/suppliers, for instances) as well as business contacts - for instances, trading on your position as a representative of the company to get deals for your personal ventures.
  • First, let me say this: If a company expects me to be at work anything above and beyond what is recognized as a standard work week, they can fuck themselves if they don't want me using company resources to rearrange the rest of my life to suit them.

    Back to company policies. The company for which I work has RFC1918 addresses for internal systems, NATted out through a firewall which only allows outbound on 80 and 443 for almost all systems.

    Being non-stupid, I set up an SSH daemon on port 443 on an outside box and set up tunneling, but that's beside the point.

    Point is that my company chose to place restrictions such that using external non-webmail accounts was impossible (well, for the 99% who tend to lack clue). MSIE is set up here by default to use their proxy, and settings on the workstations are locked down.

    Were their choices better because they were diligent in limiting use?

    Were they worse, because by not allowing SMTP, POP, SSH, telnet, and unproxied FTP, they encouraged the use of company applications and company servers, and not just company connectivity?

    Since I can tunnel everything including web traffic (got me a proxy outside) they can't even see anything but one really long connection to a single host which comes up with nothing when they pop it after https://.

    Reliability suffers, and my TCP/IP stack on this damned Windows box blows up too often with all the forwards, but have they won, have I, or neither?
  • Email is much more informal than paper mail, and people treat it accordingly. I can't imagine people in my office send or get chain letters, jokes, and photos of varying levels of propriety through the postal service. But the volume of the same kind of stuff they send and get over email is enormous.

    People are much more likely to send or receive "inappropriate" material via email than by post. The two mechanisms require different sets of rules.

    -

  • by zlite ( 199781 ) on Wednesday August 30, 2000 @07:55AM (#815756)
    A lot of banks and law firms (who are most vulnerable to liability) automatically append boilerplate disclaimers to the bottom of all outgoing email. Is it irritating? Yup. Does it work? Maybe. But it certainly reminds employees that liability and responsibility are issues that they should keep in mind.

    Most importantly, it may be able to save you the ugly mess of an email screen.
  • This one came about by default, owing to so seriously loopy system design and purchasing decisions. We use Groupwise here in the office, with everyone's permissions set to full. It's useful, because a lot of our business (lawyering) has to be done right now - the fact that someone's out of the office, tied up in a meeting all day or asleep at the switch won't wash with the clients.

    The upshot is that everyone can read everyone else's email. The web isn't logged or monitored, but the office is open plan. So everyone can see that I'm posting to /. between drafting contract clauses.

    Total openness and good old-fashioned embarrassment mean that nothing untoward goes on.

    Whether this system would work in an environment that didn't consist of a majority by weight of lawyers is left as an exercise for the student.
  • by MagicYoshi ( 202476 ) on Wednesday August 30, 2000 @08:07AM (#815758)
    I've always felt that when you give people all the information, they often can be trusted much more.

    When I was in college, I was involved with a school program that was being threatened with being shut down because incoming students would complain that they were pressured into drinking. However, there were 400 students involved in the program and there was no way we could police them all. The students in charge of the program appealed to the other students, explained the problem and explained the consequences and we had almost no problems. A couple of years later, it had become a "rule", and it's now a problem again. My point is that when we explained the situation, they wanted to help and were able to.

    As far as the UPS person flirting with a receptionist, if you receptionist has some sort of way of getting help or discreetly calling someone into the room, the flirting will not be a problem. I would think any judge would look at that and realize the company had done all it could. But then, IANAL.
  • If your employees are forbidden from sending email that is not encrypted, then you can't monitor their email.

    There are a ton of other reasons a policy like this makes sense; indemnifying yourself from such lawsuits is just a convenient side effect.
  • This is trite, but -- Americans created this insane system of liability and if we're not willing to live with the consequences then we all need to create a better one. Every time smokers sue tobacco companies, skiiers sue the areas whose ropes they ducked, sexual harassment suits are filed against employers who weren't at fault in the slightest, we all pay the bill.

    What to do? I would say:

    • Serve on juries! Don't try to get out of it. It's part of being a good citizen and your chance to inject fairness and common sense into the judicial system.
    • Don't be part of the problem. I bet it's tempting when something bad happens to you to try to turn it into a lottery ticket. But the end result of your windfall is $59 lift tickets for the rest of us.
    • Discourage the people around you from filing stupid lawsuits.
    • If you're the victim, fight it! Insurance companies are usually happy to settle and pass the tab along to their customers. Make them fight!

    ---------

  • OK, but (for the most part) this begs the question. You make this policy clear to everyone - and someone violates it, and someone else sues you. Are you liable?

    Buried in all the language about undestanding and respect, is the real answer to the question:

    Members of the executive staff, the employee's supervisor, or another employee at the direction of a member of the executive staff, may access, monitor and act on any message or communication or data in any system at any time and may view and consider and act on the contents of any item provided for use in the normal course of company business...The Company reserves the right to inspect information and work environment at any time, with or without notice.

    ---------

  • by crgrace ( 220738 ) on Wednesday August 30, 2000 @07:58AM (#815767)
    I worked at a federal laboratory several years ago and the systems there were under tight security. Every time you logged in a message would come up that what you did could be observed at any time by Lab employees or Federal law enforcement. Pretty freaky. In my group, though, someone wrote a LISP patch for emacs that warned when the sniffers were lurking. Whenever the Lab would be watching what you were doing a message would come up on the emacs message bar saying "Big Brother is Watching". This was right about when the WWW was starting to become popular (we used Mosaic on sunOS!) and I don't think the lab could track web hits yet, so I guess it was checking what directories you were in and what files you were editing to see if your account had been hacked.

    It's a very hard problem for the Lab I'm sure, pitting the need for open exchange of ideas between researchers against the need to protect the security of what we were working on.

    Anyway, now that there are programs that can monitor web usage, could we write a program that could warn users? Or, are all web hits archived so they don't have to monitor in real-time. If this were the case such a warning would be useless.

    Also, is it any suprise companies are reading email, it's as simple as:

    root> cat ~"user"/mail/inbox | grep "insert offensive language here"

  • The problem is all inside your head, he said to me
    The answer is easy, if you see it logically
    I'd like to help you in your struggly for privacy
    there must be
    50 ways to move your email

    Get Yahoo [yahoo.com], stu...
    or Hotmail [hotmail.com], Gail..
    there's freeshell, Del,
    Just listen to me
    go get Hush [hushmail.com], Gus,
    we don't need to discuss much
    and get PGP [pgpi.com], Lee
    and set yourself free

    (I don't want to slashdot freeshell, but if you look hard enough, you can find them)

The explanation requiring the fewest assumptions is the most likely to be correct. -- William of Occam

Working...