Protecting Your Company While Protecting Privacy? 184
"Sure, I'll block a URL here or there but spot checking e-mail? How long until some smartass comes up with a .sig containing all of my keywords?
In general, people are going to be more productive if they take their five minute break at their terminal browsing than screwing around by the coffee machine. Along the same venue, I am not interested in tracking 'abuse' (such as hitting eBay, checking the sports scores, etc.) If someone is using that much time that it interferes with their job, I'll be speaking with them regarding their dereliction of duties in general, and not speaking to them about Internet usage in particular.
So, again, I pose the question: what sort of policy and procedures will protect the privacy of employees' surfing and e-mail, while still protecting my company from liability?"
Next software I release... (Score:1)
Re:Private moments. (Score:1)
Tell employees to limit their e-mail to a standard comparable to their telephone calls. Too many personal calls/e-mails is a bad thing. How many is "too many" is a matter of judgement on the part of the employee AND the management involved.
If it's not work, save it until you get home.
Now, get back to work you lazy bastards. ;>
Protecting Your Company While Protecting Privacy? (Score:1)
1. Block outgoing mail? That might be acceptable at some companies, but at most it would cause productivity to nosedive. If you'd rather your employees spend 3 hours playing telephone tag than 5 minutes composing an email, cool.
2. Issue 2 email addresses? An insignificant increase in the time that it takes to read your mail, so it doesn't cost much. But if you say something that gets the company sued, I'm fairly confident that the company will still be on the hook.
3. Filtering software? "It's OK, honey, I've had a vasectomy. The check's in the mail. User friendly. You're the only cutomer that ever complained." Yeah, maybe one day we'll have filtering software that does what it's supposed to, supported by a company with no hidden agenda, but in the meantime I'm keeping it well away from any machine I control.
I like the idea of bringing the employees into the loop before deciding on policy. Given some of the lunatic decisions on what constitutes harrasment, e.g., Sports Illustrated, I suspect that companies really do need to monitor in order to protect themselves. But if they start putting video cameras in the lavatories, I might sue.
BTW, I find it ironic that with some of the dunderheaded decisions that innocent behaviors are harrasment, it can be extremely difficult to collect in cases of genuine harrasment.
Re:Private moments. (Score:2)
Hey, no problem. Of course, we'll be leaving for home one nanosecond after the clock says we can leave.
Oh, you wanted more than 40 hours per week of work out of us? Then start paying us for it, you greedy skinflints.
Re:not draconian at all (Score:1)
Re:Totally wrong solution (Score:4)
The law has determined that you need to be held responsible for the actions of any individual who works for you, which requires draconian privacy invasion in order to protect yourself.
So do it.
However, make sure your employees know why you're doing it. Tell them you have no interest in their activities, but must monitor them in order to avoid very expensive lawsuits. Then give them a list of phone numbers and addresses, and let them know if the liability can be changed, so will your policy. You'd be surprised at how many otherwise disinterested people will take an active role in politics (if only by making sure to vote or writing their congressman every so often) when you bring it home to them how these laws affect them on a day to day basis.
A good way to get them motivated would be to explain that most of these laws are created from the standpoint that employees are pretty much considered to be 'company property', and have no inherent privileges or rights; only those granted by the employer (which is why companies can be held liable for any activities which employees engage in, even sometimes outside business hours).
Do a good job of informing your workforce, and they'll think twice about voting for that yo-yo who says he's only trying to "protect the children".
Re:Wierd thought - disallow email. (Score:1)
This is a much better way to do things. I don't like sending private emails to anyone from my company account anyway. I use a shell account to manage my private mail. It's only draconian if people aren't given an alternative.
Re:not draconian at all (Score:2)
Most people don't need email access at work.
Huh? I'd say this depends very heavily on where you work. About 95% of the people in my office have to communicate directly with the clients they're working for. This solution would not work at all.
Lawyer: your HO is wrong (Score:2)
I assume you mean the fifth, but it doesn't matter: it is about governments. It *does not* apply to individuals. It also does not apply in civil cases--your refusal to testify in a civil case *can* be held against you.
hawk,esq.
What about when it was someone's fault? (Score:1)
--
Ben Kosse
Suggestions for a Saner Workplace (Score:3)
(I'm sure there are other excellent books, too, those are just the ones I can think of which help people to figure out where they want to draw their limits, to recognise warning signs, and to work out any issues of their own, without the company needing to get involved.)
IMHO, this is exactly the same fight that mill workers had with mill owners, at the start of the Industrial Revolution, and has exactly the same answer as Robert Owen determined. An educated and sane workforce works better than a hurting and hurt one.
Don't allow personal email (Score:2)
Re:Big Brother doesn't have to watch (Score:2)
Point being is that a LOT of companies are already using these tools and that majority of them do this with no intent to spy on their employees. But there have been many cases in the news about employees being fired for their "browsing" habits by various companies. Which only means that some companies ARE spying on their employees. And that boils down to how much do you trust your company?
Ex-Nt-User
Re:CAUTION: NON-COMPETE (Score:1)
Don't use company resources for the sole betterment of your own enterprises. It's common sense to me. Your addition makes it a little clearer though.
Annoyingly, IANAL either.
Re:Apply open-source principles to the problem! (Score:2)
That a conversation can be recorded doesn't mean it automatically is.
Do you have a responsibility, as a business owner, to see what you are "publishing"?
Unfortunately, the answer seems to be "yes".
You're beginning to touch upon why business is starting to fight for effective instant messaging.
But, people don't resent an "open" solution if they know it's there. Nobody minds a camera posted over their head if it's obvious, especially if they can SEE what's being/has been recorded.
Your grasp of reality fails here. Several unions have been known for "accidentally" destroying biometric readers because they didn't even want their *fingerprints* recorded, let alone their words, thoughts, and actions.
Look up the wars, incidentally, regarding audio recordings on security videos.
--Dan
Contextualizing Email (Score:5)
This presumption that all emails can and should be logged comes from the presumption that emails are equivalent to official memos from the corporation.
They're not, and shame on anyone who would argue differently.
The fact that harassing comments may be spoken at the water cooler does not obligate the company to install an audio recorder at that cooler. The fact that harassing comments often are spoken over telephone lines assuredly does not obligate a company to record all calls made to and from the office building. The fact that E-Mail can occasionally lead to harassing comments as well does not obligate the company to violate the privacy of its workers.
Now, given an active suspicion(usually brought upon by an aggrieved party commenting to his or her manager), it's justified ethically to verify the charge by watching traffic in a limited manner. We wouldn't want someone to lose their job without their sins being proven.
But to say that employers are mandated by government to spy on everything their workers do obscures the fact that the government itself is mandated a privacy violation infrastructure be built into every single workplace in the name of "protecting us from ourselves."
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Re:From the Linux Capital Group employee handbook (Score:2)
You can't eliminate risk. You thus work to mitigate it as much as possible.
Thanks
Bruce
I really think it's fair. (Score:2)
Bruce
Not meant that way (Score:3)
Thanks
Bruce
From the Linux Capital Group employee handbook (Score:5)
Bruce
Systems Use and Privacy
In order to facilitate communications and business operations, the Company uses a number of devices, objects and systems. This includes but is not limited to mail, e-mail, telephones, desks, common areas, cabinets, files, computers, networks, passwords, voice mail, etc. Access can be made by the company to any or all of these items or systems at any time. Employees should not assume that contents of messages are confidential and will be only reviewed by the employee.
The Company does not guarantee the security of the Company's systems, computers or telephones. If you need to communicate in a secure fashion, do it outside of Company buildings and without using any Company equipment or facilities. We employ technical experts who are able to read your computer data and tap your phone.
Members of the executive staff, the employee's supervisor, or another employee at the direction of a member of the executive staff, may access, monitor and act on any message or communication or data in any system at any time and may view and consider and act on the contents of any item provided for use in the normal course of company business.
None of this, however, conveys authorization for any employee to eavesdrop. The email, files, and other communications of your co-workers are not your business and you are to avoid situations that would expose you to them unnecessarily. "Snooping" is unethical and you are liable to be terminated if you engage in it.
Our systems are never to be used for pornography, email spam, ethically questionable or unprofessional activities. Internet service is widely available outside of the Company at low cost. Do not consider us to be your "Internet provider": our Internet facilities are only for work. Internet communications that are not part of your job should be carried out using an outside internet provider, a non-Company email address and non-company URLs.
In a nutshell...this means don't be doing nasty or illegal things in the office or on our networks. Respect the fact that your co-workers have access to information on the network and the computers and they would like to be able to respect you in the morning. The Company reserves the right to inspect information and work environment at any time, with or without notice
No Personal Businesses On-Site
It is understandable that many of the Company employees are entrepreneurs and may have one or more companies or separate enterprises, outside of their interest in the Company. It is our desire to nurture and respect the mindset of the entrepreneur. However, under no circumstances shall any employee of the Company run their own company at or through the Company. The use of the Company resources to conduct said business is strictly prohibited. All such enterprises shall be conducted completely off-site and shall not in any way be connected to or interfere with the normal operation of the Company
It is understood and accepted that occasional phone calls will need to be made or taken with regard to personal business. However, there shall be no routine phone calls. There shall be no connections with your personal enterprises and the Company. You are not authorized to use computers, addresses or other Company property, licenses or identification numbers to conduct your personal enterprise. In addition, you shall not use to the advantage of your personal enterprise any business information acquired on the job, at the Company.
It is my opinion... (Score:2)
I don't pretend I don't screw around during the day (for instance...now), but I think I am entitled. I work faster than average. I implement job-lightening scripts and procedures. My ultimate goal is that I implement a system that merely requires me to be somewhere in town if something goes wrong.
So, if I'm endlessly reducing my workload (as part of my job), why wouldn't I have time for personal "stuff".
If, however, I were doing illegal activities, it would be my own issue, and if it became apparent, then I should be terminated.
Re:law (Score:1)
You need a legal opinion not a tech one (Score:5)
You need to consult an attorney. You may also want to investigate some kind of business insurance to cover litigation and damages that may result.
Re:Private moments. (Score:1)
The problem with this is that it places an unnecessary burden on the employer to police and spy on its employees. Come on now. If I write a threatening letter and drop it in my company's outbound mail box is it really the company's fault? Why then should the telephone or email be any different? If I have an illegal website running from my apartment, should my landlady be responsible for that as well? What ever happened to personal responsibility and the idea that we are presumed innocent until proven guilty?
Re:How is Paper Mail Handled? (Score:1)
Why is email treated differently? Email is not handled exclusively by federal employees. Does that mean that Joe User should trust their local postal employees more than their email admins? I suppose that depends on the employees and their email admins, but while immoral and probably subject to civil court, it is not a federal crime to read someone else's email.
If you don't like it, write your senators, representatives, and everyone else who can affect a legal change.
CAUTION: NON-COMPETE (Score:2)
This could be construed as a non-compete clause. In many states, these are unenforceable. You probably want to amend this to reference "trade secrets" and/or "business practices" instead. You can't tell me that as a web developer if I learn CSS or Javascript on the job I can't use that knowledge elsewhere. The whole point of employment is building your career and aquiring new skills. That statement is contrary to this basic principle of employment, and would be legally unenforceable, if not ethically questionable as well to request.
Now, using the same analogy, if as a web designer a company I worked for designed a new dynamic backend to deliver for, say, news content, and that backend contained alot of new ideas and features not found elsewhere in the industry and where knowledge of that (if aquired by competitors) would cause material harm to the company, then yes.. such knowledge should be protected. However that should be done in a seperate document and made explicitly clear to employees both at the time of employment, and at periodic intervals afterwords (if it is that important, you should take great pains to ensure everyone knows this - due diligence).
Yes, I know you don't mean this to be a legal document, but as a policy document for a company, it could be used in legal preceedings, however IANAL.
Re:Put simply... (Score:1)
Privacy isnt the problem, Politcal Correctness is. (Score:1)
When companies have to pay millions for dirty jokes/etc, we end up in this draconian state that we have now.
Common sense is no more, so laws are passed to regulate it.
You may resume your daily illusion.
-Brook Harty
Wierd thought - disallow email. (Score:4)
Non-work-related email can be handled through home accounts, POP3 to an employee's ISP's mail server, web mail, or what-have-you.
This is draconian, but it does virtually eliminate the problem of liability for outgoing email. Internal email management is left as an exercise to the reader.
Re:law (Score:1)
On an even more pedantic note, I know of no country in the West where women are a "minority", no matter how much the gender gap at your CS classes might tell you otherwise. And to put the icing on the cake, I believe "lewd" speech is as much protected as prayer is.
--
Re:law (Score:1)
No matter how much the religious right may have impregnated on people's minds, "free speech" doesn't protect speech against a government one doesn't like particularly, it protects all speech, even the proverbial "fire in crowded theater" cliché (the difference being the legal consequences of said speech).
Unless we have a large disagreement as to what lewd means (incidentally, it meant "lay, laical" originally) you are way off base here, my friend.
--
monitoring may expose you more (Score:2)
I don't think monitoring is feasible. In fact, it may you expose to even more liability because it puts you in the position of being able to discover problems, and the presumption then may be that you knew about a problem but chose to ignore it.
I'd prohibit any personal use of company E-mail (there is no need for it--web-based mailers provide an excellent alternative), have a clear policy on how employees can get help with problems, and indicate to external recipients of E-mail messages (in a header or signature) who they can contact in case of problems with mail they received. But if it really worries you, why not talk to a lawyer?
Explain to employees (Score:2)
Re:Encryption policies? (Score:1)
Encryption policies? (Score:3)
In other words, should there be an organizational policy on encryption? Such as something like:
"Only organizationally issued [and hence escrowed] encryption software and keys may be used to secure communications. All other encryption may be construed as evidence of prohibited behavior." or some other kind of legalese.
To me this seems more draconian, but at the same time if the stated goal is maintaining comapany control over the computers and the data, I can't see how you could allow an encryption free-for-all without causing problems.
Re:How is Paper Mail Handled? (Score:1)
Actually, almost all mail that I receive at work (which is very little) is opened by the secretary long before it gets to me. And that's good too, since she usually can recognize junk mail and throw it away before I see it.
If it's personal (e.g. all those love letters from Morgan Fairchild [ign.com]), it is sent to my home, not my place of employment.
---
Re:not draconian at all (Score:2)
What they need is "work" mail as opposed to personal mail. Perhaps this can be fixed by giving them a boring mail address such as sales05@company.com or support@company.com instead of joeschmoe@company.com. That might help keep other parties from thinking that it's appropriate to use that address for chatting about Joe Schmoe's girlfriend's hemmoroids.
---
not draconian at all (Score:2)
You'd still be letting them access their personal email from work -- so it's not THAT draconian.
And they can still communicate via email internally.
A way to verify contents without snooping (Score:3)
So, what if the B's mail server logs only a checksum/hash of all outgoing mail? Then B would have evidence that could counteract A's account, but would not need to be intrusive or store huge amounts of email forever. While having each user PGP sign their documents would serve the same purpose (and be more reliable, since it would provide definite proof of a forgery), this system would be much easier to implement on a companywide basis.
Log Email (Score:2)
I know this sounds a little bit like those stupid voluntary privacy policies that people like doubleClick have. But you're not them. You're a small business concerned about balancing privacy with responsibility. You might be able to handle it.
Also, I really think that with the number of ways that someone can send and receive email today on the net, use of a company account for personal business is really not a must.
Full disclosure (Score:1)
---
Protective Measures (Score:1)
In any event, all of her e-mail which leaves the office has a tag attached to it, identifying it as the sole property, expression and views of the writer. The same sort of disclaimer should be applicable in your case.
Re:This is (going to be) unpopular, but... (Score:1)
Our freedom of speech is not as pronounced as the US version, for example we can not legally promote hate like nazism.
But we have a lot more protection when it comes to privacy, regardless where we are.
Only after a company is informed that their systems are being abused can they start to investigate, usually under very strict rules and conditions.
For example here in Holland the elected employees committee has to approve of the methodes to be used.
Although the law is not quite clear most people expect the same protection against reading of their E-mail as there is against the unauthorised opening of ordinary mail, WHY NOT?
When an employer needs the tool of tabs on internet and phone use to assure their employees are puting in their money's worth of work there is something rotten in the system.
Modern companies set productivity targets and when people are meeting them it's rather unimportant what else they do!
What about webmail? (Score:1)
Re:How is Paper Mail Handled? (Score:1)
Re:How is Paper Mail Handled? (Score:1)
No, I'm certain the paper mail is simply delivered to your desk.
Not at my company. We are heavily regulated by the goverement, so most paper mail that goes in and out of the compnay is scrutinzed very closely.
The responsibility with paper mail is with the individuals.
Why change things for electronic mail?
Because, unlike paper mail, electronic mail can last forever. It is very easy for me to write a letter by hand, then send it away with instructions to be destroyed by the recepient. The only copy is gone, with no record that it ever existed.
Email is different. All those bits get backed up on a regualt basis, and then can be used in a court of law. I offer Microsoft as an example of this. What might seem like a personal message, could have significance in a harssment or wrongful termination case.
Having cake, eating too. (Score:3)
Can't be done.
You need must monitor every email is you're to catch those creating true liability. You must log every page view if you're to catch the porn surfers. If you sample these things, those you catch can accuse you of singling them out. If you smple, you might miss some doosies. And as the filter companies have shown us, these sampling and filtering methods do not work (yet?).
Perhaps what you need is a modest plan involving user education, a written policy protecting user privacy and agreeing to full disclosure when it must be violated in the course of some investigation, and enough documentation to demonstrate due vigilance wrt these issues in case a suit arises.
In the end, those who want to bad enough will screw everything useful up for everyone. The trick isn't on preventing it so much as being able to prove that you made every reasonable attempt to prevent it.
Totally wrong solution (Score:2)
Better yet, pay attention to current bills being considered. An ounce of prevention....
--
subdomain for private use? (Score:1)
Combined with a note on your webpage, company terms and so on, this could be a legal wrapper against such 'attacks'.
Re:You need a legal opinion not a tech one (Score:1)
>want to investigate some kind of business insurance to
>cover litigation and damages that may result.
Done and done. That wasn't the point of my question. The point is: what is too much to an employee?
Why not ask my own employees? Not technically savvy enough to give an educated response.
BTW, part of the problem with the US is that we too often feel that the legal response is the correct one. Sometimes, one has to do what is right, which is what I am attempting to do in this case. As mentioned in an earlier post, blocking all email except for a few is the safest policy from a legal perspective. However, it's also the least kind to employees who have not done anything wrong. I have no desire to throw out the baby with the bathwater.
As far as being compliant: welcome to the United States. I manage a business with > 50 employees. Therefore, I have to be as compliant with every bit of personnel law as General Motors and Microsoft. Whether or not we claim compliance has nothing to do with it.
The point of this is not to go after the employee, as you seem to imply. It's to cover my own butt, while not pissing them off.
Re:How is Paper Mail Handled? (Score:1)
You'd have to ask the courts. They are trying (and succeeding) to reinvent the wheel.
If 2600 had 'merely' printed the code in an issue of their magazine, there would be no case.
Re:Totally wrong solution (Score:1)
Re:This is going to be unpopular, but... (Score:1)
I'm not saying they aren't a malcontent. But how many smart people on
Re:Bizarre Assumptions, Good Advice (Score:1)
As far as having intelligent employees, yes, that is the bulk of our staff. However, when unemployment rates are as low as they are, finding new staff that is competent (and by this, I mean that they can alphabetize) becomes increasingly difficult.
We have phone policies. We have fax policies. But if you reread the original question, you'll see that the purpose was to garner what seemed to be a reasonable policy regarding the internet and email (not yet implemented in our office for a variety of reasons).
With few exceptions, I have gotten few, if any, reasonable responses to my question. It is very easy for slashdot to bemoan the practices of companies. Yet when I asked for a policy that takes into account both their needs and those of the employer, the responses seem to be:
Screw 'em. You gotta cover your own ass.
-or-
It's your job, not mine.
As long as that is the mentality that exists when one tries to get the opinions of
I must also state that I'm quite dismayed that Mr. Katz has not chimed in. (or at least he hasn't yet been modded up. Perhaps a recheck is in order). Despite his constant protests of the hegemony of the American Corporate Culture, when given a chance to voice constructive criticism, he is nowhere to be seen. Perhaps those who denigrate him are correct. He is a reactionary with little to offer to the conversation.
But on slashdot, it seems he is not alone.
(btw, for those who must flame, the mail server is at olg.com)
Re:I would say speak with the employees (Score:1)
Re:Totally wrong solution (Score:1)
Guess what? Didn't work. Spineless idiots.
OTOH, remember that this is in response not to written laws but rather to poor interpretations of existing laws by judges. It might have been 'Database Nation', but there was a book I read this summer that talked of the absurdity of the sexual harassment laws/interpretations in particular.
Not draconian, but a reality... (Score:1)
Before we were allowed access, we had to sign two or three pages of disclaimers and such stating that we were aware that we "had no reasonable expectation of privacy" in our email or internet usage, and that the agency could peek into it at any time, with or without cause. It also stated that email and internet access were for work only, and had some language stating that minimal or occassional usage for personal reasons was okay.
Yes, the policy sounded insane, and most of us were pissed off. Grudgingly, we signed anyway. (Refusal to sign mean no internet access or email, period.)
To my knowledge there have not been any "issues" involving email or internet usage there (save for a problem with some silly Christmas card program that took up huge amounts of space on the server). The more savvy employees got Yahoo accounts for their personal usage. And for the most part, everyone lived happily ever after.
If a problem did arise, at least the agency feels protected by the lengthy disclaimers. Obnoxious or not, they would hold up in court.
How is Paper Mail Handled? (Score:3)
No, I'm certain the paper mail is simply delivered to your desk. The same way outgoing paper mail is handled, and interoffice paper mail. The mailroom leaves the responsibility with the individuals involved.
If you remember your business letter standards, how you sign your letter is also an indication of whether you are speaking for the company or not. The responsibility with paper mail is with the individuals.
Why change things for electronic mail?
Some imaginary conversations (Score:1)
TG: Erm, Mr. Boss, sir, I have that Internet policy you asked for. (Offers PAPER to BOSS.)
BOSS (inspecting PAPER): It says here that we won't read our employees' e-mail.
TG: Erm, yes, sir.
BOSS: So if I suspect that one of my employees is embezzling, or selling our secret formula for Slashdot Cola to my competitors, or tipping off friends about likely changes in our stock price, I can't look at files on the computer that was bought with the stockholders' money to find out?
TG: Erm, well, sir, I don't want to play Big Brother.
BOSS: Then go work at the Mickey D's drive-through. You're fired.
(MY OFFICE, one week later. TECH GUY #2 enters, holding another PAPER.)
TG2: Erm, Mr. Boss, sir, I have that revised Internet policy you asked for. (Offers PAPER to BOSS.)
BOSS (inspecting PAPER): It says here that we won't read our employees' e-mail unless we reasonably suspect that they're doing some forbidden thing.
TG2: Erm, yes, sir.
BOSS: So if I suspect that one of our employees is embezzling, and I find out that he is embezzling, and I fire him, he can still sue us for breach of contract, alleging that even though he really was embezzling, I didn't have enough information to form a reasonable suspicion that would allow me to look at his e-mail? Which, by the way, is stored on the computer which was bought with the shareholders' money?
TG2: Erm, well, sir, ...
BOSS: Thanks so much. You're fired. Have a great day.
(MY OFFICE, one week later. TECH GUY #3 enters, holding yet another PAPER.)
TG2: Erm, Mr. Boss, sir, I have that second revised Internet policy you asked for. (Offers PAPER to BOSS.)
BOSS (inspecting PAPER): It says here that we can read our employees' e-mail for any reason at any time. Won't our employees think that we're playing Big Brother, and be angry and resentful?
TG3: I'll blather on to them about EEOC guidelines. Besides, all our competitors have the same policy. What choice do our employees have?
BOSS: You'll go far in this company, Jenkins.
Re:Mandatory Encryption (Score:1)
Logging doesn't prevent anything (Score:2)
Keeping logs doesn't really protect you. All logging does is simplify a post-mortem, and provide a method for digging into someone's past and turning a non-event into something nefarious. If the data isn't collected, you can't turn it over to someone.
And the user can still send inappropriate email using any form of encryption such as, oh, any non-English language. Seriously. Are you going to spot check the emails written in French? Hindi? Farsi? Obfuscated Perl? How about keyword filtering in those languages?
About the best you can do is use the same policy you have in place now for phone use. If it gets out of hand, you, or your co-workers will know (or will rat on the guilty). Make Human Resources play the part of bad guy, and have them deal with these personnel issues. Publicize the policy, and have a two infraction limit. First warning, a week without pay. Second warning, you're fired. Zero exceptions (including VP's and CEO's).
Finally, I'm happy to see that you realize it's not that you're going to get 2,000 hours of perfect work out of an employee per year, but that the value of what they do during a year is greater than what you pay them each year.
Some experiences I've had (Score:3)
I've documented similar experiences at: http://www.robertgraham.com/pub s/firewall-pr0n.html [robertgraham.com]
Why not get yourself protected as an ISP? (Score:2)
Become a "private ISP" of sorts. Charge a nominal, required fee for use of the e-mail system. That way you could use some of the legal prtections ISP's have.
External Use Policy... (Score:2)
Web:
- No Web access without full officer approval (a bank.) Every move you made on the web was logged and tracked, plus "undesirable" sites were blocked out.
- Very little logging, but a proxy server filtered out things like Playboy, Dilbert, etc. (huge insurance company.)
- Unrestricted web access, very little logging (firewall logs blocked port attempts, etc.) This is in my current gig with a huge worldwide systems company.)
Email:- Internal email only...no outside access at all (including blocking of Hotmail, etc.) except in certain, tightly restricted departments such as PR, customer service, etc.
- Full outside access, but everything was logged and passed through a word/content filter. I've seen many a sneaky sales manager get gently escorted out the door after they found that he was emailing files/kiddie porn/MP3s to his buddies. Very strict policy for if/when you screw up.
- No email filtering as far as I know.
Now, here's what I have always used to govern my personal Internet use at work:- Nothing, and I mean nothing, of a personal nature goes through my work e-mail account. My ISP lets me read and send personal mail via the web, so I'm at least not wasting the company's mailqueue space.
;) Besides, if some goof from the outside sends me spam or a "restricted" piece of material, I certainly don't want it coming up to haunt me. Besides, I already get way too much email in my work account. :)
- As for the web, it's the company's nickel you're using to browse. I try to keep personal browsing to a minimum, but most employers I've seen understand that blocking really isn't the answer. The only thing I'm guilty of overusing (other than reading Slashdot) is downloading stuff like patches and service packs for programs (I have 56K at home...try downloading W2K SP1 over that!!) It's just too dam nconvenient to download, burn to CDRW and take home.
Now, if I ran the network (at least the external services end...) I would do the following:Re:Liabilities (Score:2)
This [incomesdata.co.uk] document has a number of good links related to this story.
Liabilities (Score:3)
This [uwaterloo.ca] page lists a few more lawsuits from company liability about email. To limit liability in such cases, they suggest:
Re:I really think it's fair. (Score:2)
Hmm. I can see this with the internet (while things like online banking make this a borderline decision, as most online banking sites are more convenient than phone banking) I can't agree with the phone - most companies accept that *other* companies don't deal outside of business hours, so employees are likely to need to make the occasional personal call to a bank, utility or doctor that would otherwise need them to travel to the place of business or find a payphone. Some provide a small room with a desk and payphone for "private" calls, but the majority just roll in the small cost of these calls as overheads and ignore them (provided they aren't abused of course).
In fact, a current English law is still pending because in effect, you would require the formal permission of *both* participants in a call not to be committing a crime that carries a jail sentence; they are working on alternative wordings that allow sensible monitoring without allowing anyone but the government a snooper's licence (now that they have one, they are jealous of anyone else getting one)....
--
Re:Put simply... (Score:2)
The fact that you visited www.livenudegoatpr0n.com at work is not a personal detail. It's information that the company can release to anyone it bloody well chooses because the entire transaction took place using company equipment and property and on company time. That means that it wasn't a private act, but a public act within the company. So you can't bitch that your company announced that you were fired because you were filling up the companies hard drive with pr0n.
Kintanon
Re:Put simply... (Score:2)
That is a risk. A possibly expensive risk.
I don't think you understand how corporations work, they aren't going to just notice hits to pr0n and fire the guy and announce it. They are going to notice the hits, set up some more intrusive monitoring on his machine, and find out everything they need to know to be sure it's who they think it is. Then discuss it with them, and continue monitoring. Corporations are VERY cautious because they don't like wrongful termination suites any more than any other kind of lawsuit.
Kintanon
small company big company (Score:2)
Sometimes, in a smaller company with 100 people - it is possible to work closely with the employees to ensure they understand the company standard practices. I have seen cases where in general meetings, the COO has tabled the issue and has asked for a consensus among the employees about how the company as a whole should deal with this issue.
That is not really practical in a larger context. I work in an information services department with more than 4000 people in a largish corporation. For us, here, (and Im not the person who enforces these policies here) there may not be really any other way out rather than blatant denial/interception.
Whatever way you choose - it is wise to use understanding and care when dealing with such violations.
Re:Put simply... (Score:2)
Man! I can't imagine being so addicted to pr0n that you just have to get into it at work when the company policies so specifically forbid it (and it's NOT hard for your employer to check). Just seems dumb. I mean, I feel bad enough reading slashdot for an hour at a time, but at least that's not (specifically:) against company policy.
Re:not draconian at all (Score:2)
Our company has gone the opposite of what you suggest and disabled communication to/from port 25. So we can recieve home email, but can't send.
Well, that is, most people can't.
Is The Company Liable For Computers It Gave Away? (Score:2)
-----
This is going to be unpopular, but... (Score:3)
1) They can have all the e-mail and web surfing at home that they want. Even for free.
2) You paid for the computers and the internet connection. You get to dictate terms of use. If they want to "represent" the company they need to abide by your rules.
3) If they screw up and get you sued, you can fire them. You, however, can lose your business. Being the one to put your neck and reputation on the line by starting a business means you take more risks and can get more rewards. Don't let someone take that away from you because they wanted to "show you".
Overall, if they are adults, they should realize the responsibility that they have to their place of work. If they want to violate your policy and expose you to risk, then someone else can hire them and take the risk. Or, they can become self-employed. Then they can see what it is like to have themselves exposed to risk.
All my programs have a purpose. This one, for example, takes the contents of RAM and places it in a file called 'core'.
Clear *GUIDELINES* (Score:2)
Depending on the nature of your company, you might not want to strictly monitor such communications -- but be sure to create guidelines that all who are employed by your company can understand without legal council.
If suspicion is strong enough, maybe monitoring communications minimally. Many companies do allow (without acknowledging) some personal activities to slip through the cracks, so long as the employee is doing their job. But I don't know about many professions and how easy it might be to get compulsively sidetracked, but I'll bet many companies that don't deal with consumers often don't always promote the most comfortable work environment in the name of saving money!
Of course i'm wrong, so comment accordingly ;-)
Bizarre Assumptions, Good Advice (Score:3)
Standard Disclaimer: I am not your lawyer.
The fact is, if you have a business of more employees than you can count on one hand, you should probably have policies regarding personal use of the phone, Internet, and other office resources.
This does NOT mean just write them down and stick 'em in a file cabinet. That's how you get in serious trouble with plaintiff's lawyers. What you SHOULD, do is this:
Your employees are not stupid. You can explain that a flirtatious UPS driver, or even going out for drinks with the office after work, are different from employees making frequent sexual comments about other employees, different from turning a blind eye to employees who send sexually explicit URLs around the office or spend time at work surfing those sites, and different from employees who hit on other employees and give them worse work assignments after being rejected.
That last thing -- that's where most employers who get nailed in lawsuits really get nailed. People who end an on-the-job romance (or refuse to have one in the first place) shouldn't have to worry that they're going to get lousy assignments, no more promotions, or lose their job as a result. As an employer, you need to see to it that those things don't happen.
time to change the laws (Score:2)
Really, we need an adjustment of the law. The judicial interpretation of the law has led to some amazing rulings regarding sexual harassment. Not only has it wrongly cost many companies money, time, and employees, but it has trivialized the truly evil sexual harassment which still goes on everywhere. It should always be the case that a company has a chance to rectify a situation after the fact. Any large company should have a contact person in HR who can receive a complaint, and companies should not have liability unless they fail to respond to a complaint. Anyone who can file a lawsuit can surely take a complaint to HR first; otherwise, I'd say they are motivated by greed and/or spite, and not just the desire to have a healthy workplace environment.
Of course, it won't come as any surprise to slashdot readers that the country is in love with litigation, but the longer I work, the more I witness incidents where the spectre of litigation protects only the wicked, as it were.
e-policy (Score:2)
http://www.amazon.com/exec/obido s/ASIN/0814479960/ [amazon.com]
kick some CAD [cadfu.com]
Strengthen internal communication (Score:3)
Some of the solutions were already in your question. (1) Hire dependable, hard-working, trust-worthy people. (2) As your company grows don't let them lose touch with each other or resources for help in case something does happen to them. In other words, get a strong, honest, HR director or department, someone your employees feel is on their side and not the company's. (3) Talk to a good consulting firm that handles HR issues like workplace grievances and see what they recommend (4) and since it will happen someday, get a good team of lawyers.
The solution to the issue of unwanted lawsuits lies not in controlling outside contact, but strengthening contacts inside the office.
Monitoring..sure way to get sued (Score:2)
E-mail policy was a huge issue for us. The technical team and the legal team looked at it from several sides. First, thing we thought of was the cost of monitoring e-mail and what problems it may cause. The biggest problem was actually monitoring e-mail caused far more issues than not.
It was far more likely that we would be sued for terminating someone over an e-mail rather waiting and responding to a complaint about said e-mail. The biggest factor in this was dealing with low level management. Frankly, the low level is there to watch the clock and fill out reports. The probability that a manager making under 30K a year of correctly handling the situation was quite low as well.
Further more, by opening mail up to be read we risk disclosing information that would break NDA's, and FTC rules. For instance we wouldn't want mail about a merger or sell off to be made public until it was legally correct to do so.
In the end the mail policy was set up so that monitoring of e-mail would only be allowed in the case where a VP level or higher authorized viewing the mail. Any other complaints we be handled via HR channels.
Put simply... (Score:4)
At least they should be considered so.
My company has a simple policy - pretty much open internet. Some sites throw up red flags and are blocked (such as playboy.com).
We publish the companies internet usage policy on the intranet home page. No one has the ability to change that home page. They are required to bide by the rules of internet usage.
If they don't, the rules are simple - termination.
And we make a big deal out of it. Terminations are not announced (the rumour mill takes care of that...), but when employees are convicted of having soft/hard/child pron on their machines, a letter of explanation goes out from the company president.
It's amazing to see the internet usage ramp down for a few weeks!
Re:You need a legal opinion not a tech one (Score:3)
Wrong.
Lets say the magic words again, everyone : "good faith effort" Aside from the (IHMO sexist backlash of) hysterical overreaction to sexual harrassment claims, the reality is very different. You as an employer are not held responsible for everything an employee does. But you are responsible if you condone it, if you have policies which make it easier on the harrassers than the harrassed, if you don't take early complaints seriously, etc. If you have a policy, you tell people where they can complain, and you make a good faith effort to follow up, you do not have a problem.
Then again, in the real world (outside of the backlash hysteria) a lot of individuals and companies don't have a problem even when they don't do it right. (begin rant)
Real life example. A lifegaurd for a city pool sued the city because of pervasive sexual harrassment by her supervisor. The city had a sexual harrassment policy and displayed it at city hall, but the employee worked only at the pool and never saw it. When she tried to complain to her supervisors superior they lied/didn't know better and told her that there was nothing that could be done about it. One of the lower courts ruled that even though they had completely failed to do anything useful with it, the city was still protected from the complaint just because of the existance of a formulated policy. (in this case even a bad faith effort is ok, apparently). The case was under appeal when I heard about it, I don't know the final outcome.
Another real world case for those who think a flirting UPS man will lose them their business. large supermarket chain had a store manager accused of sexual harrassment bordering on attempted assualt. Their solution to the problem was to maintain his "rank" but switch him to another location where no one had heard about his past behavior. There he was given enough athority over a small enough crew that he could one night order everyone home but one woman at lockup time and rape her in his office. When she found out about his prior complaints and the way the chain had responded to them, she sued. On her last appeal, the court ruled that the chain had not acted in negligence, and she had no standing for such a claim. They did say that she could file a workers comp claim, because the "injury" arose out of normal work conditions. Wanna guess which state thinks having a known sexual predator arround is just something the company can't be expected to change? Massachusetts, home of the "liberal, activist" court.
Now I keep hearing people rant about these overeacting sexual harrassment claims, but I've never actually heard a authenticated, or even first hand report on one. Out in the real world, it looks like the companies can protect themselves just by having a policy, distributing it and sticking with it, harrassers can protect themselves by being "good enough" that their supervisors turn a blind eye or reassign when too many people complain, and the harrassed can protect themselves.... how? I don't know. make a complaint and hope anything useful happens, then go out and listen to your friends complain about the nuetered corportate culture they're imagining.
Rant over, gotta go to bed.
-Kahuna Burger
SMTP/POP doesn't work with subdomains. (Score:2)
<O
( \
XGNOME vs. KDE: the game! [8m.com]
It's not that hard... (Score:2)
Because of this and to protect ourselves from the liability mentioned above, we monitor email in a way that we consider to be reasonably fair. All incoming, outgoing and intercompany emails are scanned for a set list of words and phrases (that was an interesting day, keying in all of the offensives words I knew), in addition to being virus scanned, checked for size, etc.
Incoming mail that throws a lexical violation (contains enough of the words/phrases to red flag it) gets bounced with a polite messge regarding innapropriate business content. Outgoing and intercompany mails which we might be liable for that throw a lexical violation are forwarded directly to the head of HR, who determines if it is necessary to take any action. 9 times out of 10, nothing is done.
Regarding the web, we catch every single URL that gets keyed in. We do restrict and filter content, more to reduce bandwidth usage than any other reason. On the other hand, as the guy who had to search the logs, I can tell you definately there were people surfing porn. I'm not talking about an occasional glance either, I'm talking an hour long porn fest. The software we use allows us to tailor a surfing policy for different groups of users. Data entry personnel who don't need the internet for business use simply don't have access. My company pays for the pipe. They pay for it so the business can grow, no to provide an ISP to employees.
As a final note, I saw someone talking about smartasses who put all of the offensive words in there sig. Yes, it's very cute, and it happened to us several times. I've found that after an extended conversation with both HR and th Manager of Information Security they find better uses for their time.
The Death of Common Sense (Score:3)
EEOC law != "quotas" (Score:2)
Re:This is going to be unpopular, but... (Score:2)
Would you appreciate it if a roommate hopped on your computer and sent harrasing/threatening e-mails out under your name? Probably not.
Now what if you hire that roommate to write some code for you using your machine. He sends out threatening e-mails using your machine, again under your name, but now he's an employee. It's your computer, does the fact that you've hired him to write code on it give him the right to use it any way he wants?
Now make it a small business with you hiring two coders, you own all the machines, do they have the right to use them as they please? Scale it all up-- at every level, the person/persons/shareholders who OWN the machines have the right to say what gets done with them. If you don't like it get a machine at home and a dial-up account.
simple things you can do (Score:3)
1) Have a written internet policy. Work it over carefully. And have every employee who gets a internet-connected computer sign that they've read, understand, and agree to abide by the agreement.
2) Business e-mail is the same thing as letterhead. Employees don't use letterhead for personal correspondance, they shouldn't use business e-mail for personal purposes. Hotmail, yahoo! mail, go mail, there are a hundred free e-mail services out there that work just fine. Simply make policy that the business e-mail is business use only. Period. Help users setup hotmail/yahoo/whatever if they want. Bingo! You have no ethics problems with full logging/reading every e-mail that goes through. There are no personal/privacy issues to deal with. If an employee gets caught using it for personal purposes, there's no reasonable expectation of privacy since you've already stated that it's business only and will be logged.
3) Make policy on personal web-browsing. Make it clear what is not acceptable. And deal with abusers promptly.
4) Sexual harassment: this is only a real problem if something is brought to your attention and you fail to act on it. If the delivery guy is being inappropriate, you ought to be on the horn to the local delivery office immediately if not sooner! As soon as you mention "sexual harassment" and "we're discussing this with legal" the guy will be on notice, and if it happens again, he'll be fired. Guarenteed.
Further Reading (Score:3)
- A. Keiper
The Center for the Study of Technology and Society [tecsoc.org]
Washington, D.C.
Re:CAUTION: NON-COMPETE (Score:2)
Restrictive Outbound Firewalls (Score:2)
Back to company policies. The company for which I work has RFC1918 addresses for internal systems, NATted out through a firewall which only allows outbound on 80 and 443 for almost all systems.
Being non-stupid, I set up an SSH daemon on port 443 on an outside box and set up tunneling, but that's beside the point.
Point is that my company chose to place restrictions such that using external non-webmail accounts was impossible (well, for the 99% who tend to lack clue). MSIE is set up here by default to use their proxy, and settings on the workstations are locked down.
Were their choices better because they were diligent in limiting use?
Were they worse, because by not allowing SMTP, POP, SSH, telnet, and unproxied FTP, they encouraged the use of company applications and company servers, and not just company connectivity?
Since I can tunnel everything including web traffic (got me a proxy outside) they can't even see anything but one really long connection to a single host which comes up with nothing when they pop it after https://.
Reliability suffers, and my TCP/IP stack on this damned Windows box blows up too often with all the forwards, but have they won, have I, or neither?
Re:How is Paper Mail Handled? (Score:2)
Email is much more informal than paper mail, and people treat it accordingly. I can't imagine people in my office send or get chain letters, jokes, and photos of varying levels of propriety through the postal service. But the volume of the same kind of stuff they send and get over email is enormous.
People are much more likely to send or receive "inappropriate" material via email than by post. The two mechanisms require different sets of rules.
-
Disclaimers (Score:3)
Most importantly, it may be able to save you the ugly mess of an email screen.
Alternative Approach (Score:2)
The upshot is that everyone can read everyone else's email. The web isn't logged or monitored, but the office is open plan. So everyone can see that I'm posting to
Total openness and good old-fashioned embarrassment mean that nothing untoward goes on.
Whether this system would work in an environment that didn't consist of a majority by weight of lawyers is left as an exercise for the student.
Educate them (Score:5)
When I was in college, I was involved with a school program that was being threatened with being shut down because incoming students would complain that they were pressured into drinking. However, there were 400 students involved in the program and there was no way we could police them all. The students in charge of the program appealed to the other students, explained the problem and explained the consequences and we had almost no problems. A couple of years later, it had become a "rule", and it's now a problem again. My point is that when we explained the situation, they wanted to help and were able to.
As far as the UPS person flirting with a receptionist, if you receptionist has some sort of way of getting help or discreetly calling someone into the room, the flirting will not be a problem. I would think any judge would look at that and realize the company had done all it could. But then, IANAL.
Mandatory Encryption (Score:2)
There are a ton of other reasons a policy like this makes sense; indemnifying yourself from such lawsuits is just a convenient side effect.
Society (ie you and me) needs to change (Score:2)
What to do? I would say:
---------
Re:From the Linux Capital Group employee handbook (Score:2)
Buried in all the language about undestanding and respect, is the real answer to the question:
Members of the executive staff, the employee's supervisor, or another employee at the direction of a member of the executive staff, may access, monitor and act on any message or communication or data in any system at any time and may view and consider and act on the contents of any item provided for use in the normal course of company business...The Company reserves the right to inspect information and work environment at any time, with or without notice.
---------
Open source to resist? (Score:3)
It's a very hard problem for the Lab I'm sure, pitting the need for open exchange of ideas between researchers against the need to protect the security of what we were working on.
Anyway, now that there are programs that can monitor web usage, could we write a program that could warn users? Or, are all web hits archived so they don't have to monitor in real-time. If this were the case such a warning would be useless.
Also, is it any suprise companies are reading email, it's as simple as:
root> cat ~"user"/mail/inbox | grep "insert offensive language here"
50 ways to move your mail (couldn't resist... (Score:3)
The answer is easy, if you see it logically
I'd like to help you in your struggly for privacy
there must be
50 ways to move your email
Get Yahoo [yahoo.com], stu...
or Hotmail [hotmail.com], Gail..
there's freeshell, Del,
Just listen to me
go get Hush [hushmail.com], Gus,
we don't need to discuss much
and get PGP [pgpi.com], Lee
and set yourself free
(I don't want to slashdot freeshell, but if you look hard enough, you can find them)