Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Communications EU Privacy The Internet

European Court Rules Companies Must Tell Employees of Email Checks (reuters.com) 103

Companies must tell employees in advance if their work email accounts are being monitored and such checks must not unduly infringe workers' privacy, the European Court of Human Rights ruled on Tuesday. From a report: In a judgment in the case of a man fired 10 years ago for using a work messaging account to communicate with his family, the judges found that Romanian courts failed to protect Bogdan Barbulescu's private correspondence because his employer had not given him prior notice it was monitoring his communications. Email privacy has become a hotly contested issue as more people use work addresses for personal correspondence even as employers demand the right to monitor email and computer usage to ensure staff use work email appropriately. Courts in general have sided with employers on this issue.
This discussion has been archived. No new comments can be posted.

European Court Rules Companies Must Tell Employees of Email Checks

Comments Filter:
  • I work in IT (Score:4, Insightful)

    by Martin S. ( 98249 ) on Tuesday September 05, 2017 @09:52AM (#55140819) Journal

    So I'm going to assume they can and will read anything I do at work and act accordingly.

    • So I'm going to assume they can and will read anything I do at work and act accordingly.

      Yeah, shouldn't that be the base assumption? Even if it's not actively being monitored or has ever been it has the potential to be and can at least be checked up on.

      • Yeah, shouldn't that be the base assumption?

        No. It might be the cautious assumption but that does not mean that someone who expects some level of privacy has unreasonable expectations. There are many different levels of private email correspondence. For example, if I email my wife to let her know that I will be home late because of work I would not expect my employer to fire me for personal use of work email. However, if you tried to run a small business of eBay selling things through your work email then yes I would expect any employer would likely

        • by Cederic ( 9623 )

          if I email my wife to let her know that I will be home late because of work I would not expect my employer to fire me for personal use of work email

          You miss the point. The base assumption should be that your employer will know that you mailed your wife to let her know that you'll be home late.

        • For example, if I email my wife to let her know that I will be home late because of work I would not expect my employer to fire me for personal use of work email. However, if you tried to run a small business of eBay selling things through your work email then yes I would expect any employer would likely fire you for that!

          And how would you expect the employer to know you are doing either? Because they have access to your work email and the ability to look through it. For example, say you work at super company x. You email your wife to say you'll be late or to get milk, some colleagues or even friends about non work related matter. Not really a big deal unless you take the piss. Now say rival company y comes to you and wants some trade secrets in exchange for bags of cash, you wouldn't dream of sending that from your work ema

      • So I'm going to assume they can and will read anything I do at work and act accordingly.

        Yeah, shouldn't that be the base assumption? Even if it's not actively being monitored or has ever been it has the potential to be and can at least be checked up on.

        No, it shouldnt. And in Europe a reasonable expectation of privacy is a codified right.

    • Re:I work in IT (Score:4, Informative)

      by dindi ( 78034 ) on Tuesday September 05, 2017 @10:14AM (#55140913)

      +1 ...

      And why on Earth would someone conduct private business on a company email account.

      Now if they sniff my private mails going to my phone through an external provider, or my home email, that would be a different story.

      But again, I wouldn't use the company's wifi to even receive private mail or access private stuff. For that, you have your data plan.

      And yes, a company computer, a company connection and a company account DOES BELONG to the company, thus should and will be monitored by the company.

      • >And why on Earth would someone conduct private business on a company email account.

        Because you're working late and you need to tell your wife that you're going to be late home, and your employer isn't a douche so is fine with you sending personal emails and has said so.

        Not every employer has a scorched earth policy regarding these things.

      • My company has a "guest" WiFi and a company WiFi. I *assume* both are monitored, and I *assume* that I have no privacy on either.
        In the case of the guest WiFi I view it no different than the WiFi at a starbucks. I'll use it, but only through a VPN using a pre-shared key and strong encryption. My company WiFi I won't use at all, other than to connect with my company provided computer.

      • by kwerle ( 39371 )

        And why on Earth would someone conduct private business on a company email account.

        Have you ever met people? They're idiots.

        • by AmiMoJo ( 196126 )

          It's actually in the company's interest to allow work computers to be used for private stuff.

          My boss has my private email address. Once or twice I've answered questions while on holiday. Very often something I ready during lunch break for my own private amusement turned out to be very helpful for the job. All that would go away if they suddenly got strict about computer use, although I'd probably jump ship anyway in short order.

          A little trust goes a long way.

      • I use the company phone for all my private calls (it's the only phone I have since I don't need another). I also use the company network and computer for oersonal usage (i.e posting here), I have a company computer at home and my Internet connection at home is owned by the company. Works well for me, don't understand why it's seen as so obsene by foremost US citizens.
      • by AmiMoJo ( 196126 )

        From TFA:

        The company had presented him with printouts of his private messages to his brother and fiancée on Yahoo Messenger as evidence of his breach of a company ban on such personal use.

        Barbulescu had previously told his employer in writing that he had only used the service for professional purposes.

        So it's not even email, just Yahoo chat. The issue here is not that he lied about using the service for work only, he could still be fired for that, it's that in the EU an employer can't simply read everything on its network because the users of that network have some small expectation of privacy.

        Don't misunderstand this. Network monitoring for detection of intrusion, scanning emails for viruses and spam, that sort of thing is still fine. Even reading employee emails when there is some good reason

      • by clovis ( 4684 )

        +1 ...

        And why on Earth would someone conduct private business on a company email account.

        Some companies are blocking the common webmail providers.
        It's done for IP security (makes it a little more difficult to send out company confidential information), and also to block the main portal for entry of malware.
        If a person feels they must absolutely must communicate with family/friends/commie spys/etc, they can use the phone.
        Also, there's always dingbats that get confused and will use both the company email and google, yahoo, etc for business mail which leads to all kinds of problems.

      • And yes, a company computer, a company connection and a company account DOES BELONG to the company, thus should and will be monitored by the company.

        The company's toilet, the plumbing connection, and the water flowing through it all "DO BELONG" to the company as well.

      • should and would ... i think the point is that they have to officially notify / warn you that they're doing it before they're doing it, i dont think the right of the employer to monitor his own lines is on the table here, but the duty to inform their employers if and when they do before they do it.
        i agree its their hardware and their lines, just like they get the right to hire and fire whoever they want for whatever reason, no matter how idiotic
        i mean its all nice to be pc about it, but if your employer
    • by GNious ( 953874 )

      Good luck controlling what is sent to you

  • Privacy is one thing, and most businesses--even Federal agencies--confer a limited personal use policy, allowing you to browse the 'net and do things with their equipment as long as you do your job. This was actually directly described on the MOTD at log-in at the Social Security Administration. There's a reasonable expectation of privacy; it's also their system, and what you do is subject to inspection.

    So yeah, they won't suck up your cookies, hack your gmail, and snoop your bank accounts; they will re

    • If you mixed personal emails with your U.S. government emails, Congress can subpoena your personal email account. Something as innocent as a sending an email to inform your boss that you're running late for work can make your personal email account fair game to congressional investigators. Make sure that your personal email account is "clean" unless you want to read about your messy relationship emails in The Washington Post after being leaked by a congressional staffer.
    • I post to /. on my company machine.
      I don't connect to FB or my google account, however.

      Reasonable use doesn't mean private use ;)

  • Who would use the mail box of the office for something personal ?
    At our day and time, the smartphone is more than enough for the odd 3 lines messages for emergencies.
    If you need more, do it at home, not on your company's dime.

    • by RobinH ( 124750 )
      If you're using your phone at work for personal use, you're doing it on your company's dime too, particularly if you're paid hourly.
      • I specifically said "3 lines for emergencies" : life happens (or death, as the case may be).
        Taking more than a a minute is where I draw the line.

        But maybe you have a different perception of what construes an emergency.

      • That depends:
        Is it on a designated/designatable break? Then no, you're not on your company's dime.
        Are you an exempt employee and are you achieving what you were tasked to do? Then no, you're not on your company's dime.
        Are you hourly and not on break, or exempt and it's interfering with your ability to complete your task? Then *yes* it is on your company's dime.

  • by CaptainDork ( 3678879 ) on Tuesday September 05, 2017 @10:03AM (#55140871)

    ... in a Technology Administrator Policy and designate an administrator.

    I'm retired now, and when I hired on at a law firm 20 years ago, I wrote that policy and amended it as things changed.

    I blocked shit like match.com, Facebook, Twitter, etc.

    I listed taboos like using business email for non-business purposes and I stated clearly that, at the direction of the partners, I would be monitoring emails, browser history, etc.

    For each and every new hire, I read the Policy to them in the kitchen area and invited them to ask question then, and at any other time during their employment.

    The last page had a place for two signatures/dates:

    - Theirs, acknowledging that they participated in the counseling

    - Mine, acknowledging same.

    I got a few calls regarding wrongful termination during the years and, in one matter, the fired employee said, "Well, everyone else was doing it."

    I told the work comp lady to add, "Line item 6.1.a, 'Report any violations or suspected violations of this policy to the Technology Administrator."

    • by Kjella ( 173770 ) on Tuesday September 05, 2017 @10:44AM (#55141079) Homepage

      I got a few calls regarding wrongful termination during the years and, in one matter, the fired employee said, "Well, everyone else was doing it."

      I told the work comp lady to add, "Line item 6.1.a, 'Report any violations or suspected violations of this policy to the Technology Administrator."

      So assuming he wasn't exaggerating you amended a policy nobody followed with another over-the-top rule for them to ignore, brilliant. I've read a few policies like that, in theory they're great. In practice nobody knows, because they're so anal the only real purpose they serve is as legal ammunition against troublesome employees. For example I read my organization's phone application guidelines, install any non-IT approved app and you take full legal liability for any damage it can cause. Meanwhile using it as your personal phone too is encouraged and 95%+ do exactly that, nobody bats an eye at installing anything. It's only there because if shit hits the fan they can throw you to the wolves and blame you for violating policy.

      • It's possible that you don't grok it.

        The longer version, that should be apparent, is that a violator got three strikes.

        Well, 4.

        As a coworker, I'd whisper in their ear that what they were doing was a violation and to stop.

        For each violation, I simply witnessed the reprimand given by a partner. That violation was written up, with proof attached; signed by the violator and me.

        That went into their folder.

        Third time was a charm.

        Example:

        Kara downloaded Picasa, a photo editing thing from Google. "Downloads are pro

        • by AmiMoJo ( 196126 )

          Sounds like an incredibly effective way to destroy productivity. All requests, even for trivial things, have to go through one person, or at least through the IT department.

          Maybe it's different at law firms, but as an engineer it would be impossible to do my job working that way.

          • So, at work, you need Facebook, match.com, and you need to use your work email to forward photos you took with your digital camera?

            • by tlhIngan ( 30335 )

              So, at work, you need Facebook, match.com, and you need to use your work email to forward photos you took with your digital camera?

              Don't need facebook or match.com, though I wouldn't be surprised if someone needed to do their job (social media and the like).

              But digital camera to computer? Yes. Because you wouldn't believe how many support cases are simplified if the client simply takes a photo of the problem. Or in our case, we often photograph circuit boards and point out certain things. Like serial number

        • by Kjella ( 173770 )

          No, I grok it just fine and I think we're perfectly in agreement on how this works.

          "Downloads are prohibited without prior permission from the Technology Administrator."

          Not just applications, but downloads in general? Am I in violation if I download a PDF?

          "Employees will not use personal technology at work (...)

          So if I check my personal cell phone while at work...

          and will not make changes to any of the Firm's technology without prior permission from the Technology Administrator."

          I can't even parse this, am I allowed to turn on/off my computer?

          She was on match.com (this was the trigger for the firewall block, per my recommendation) on a Friday from 2 pm to 5 pm.

          And you religiously enforce this for everyone who spent two minutes checking a non-work related item?

          It was all documented, signed by her, and she was let go.

          Which was my point.. it's not a policy you expect people to follow, it's a policy everyone violates so you can fire those y

          • Any chance at all that you actually support any of the Policy?

            It saved our ass for years.

            We used to simply include it in the hire package.

            We discovered that, like most things in that package, people were like, "OK, whatever. When's vacation, where's the bathroom and kitchen and stuff."

            And, it's not like we hired people just so we could fire them.

            Recall that I personally talked to each new hire.

            It was a friendly, sensible conversation that a few did not want to follow, opting for termination instead.

      • the only real purpose they serve is as legal ammunition against troublesome employees

        Yes and? This appears to be entirely the point of the story. Tell the employees that you have a policy and you're good to go.

    • by AmiMoJo ( 196126 ) on Tuesday September 05, 2017 @10:56AM (#55141141) Homepage Journal

      That sounds like a horrible, Orwellian place to work.

      Did you give employees laptops and phones for travel? Did they routinely turn them off to prevent you activating the camera/microphone and carry a second personal laptop?

      It really sounds like an awful way to live. I wouldn't work at such a place, I'd only go somewhere that doesn't routinely spy on me and largely doesn't care as long as I get stuff done. Even if I didn't care about privacy, I'd assume it was a sign that there were other serious problems with the management style and working environment.

      • It really sounds like you want to read the whole goddam Technology Administration Policy.

        For things that seem whack to you, fill in the fucking blanks with the common sense you would include.

        Recall that I counseled each new hire, personally, one-on-one.

        We're a LAW FIRM.

        Things have to be tight all around.

        • by Cederic ( 9623 )

          You can be tight without being a complete twat about it.

          I know law firms are full of people professionally trained to be utter cunts but that doesn't have to extend to the IT staff. I work for a company with severely more stringent information security requirements than a law firm and we do this scary thing called making it a great place to work.

          You should consider giving it a go some time.

          • I let business run the IT department.

            My partners at the law firm called the shots and I made recommendations that protected the Firm.

            Not all were accepted.

            They got hit with ransomware shortly after I retired because one of the lawyers phished on "nude photos" of some celeb.

            I recommended a more expensive firewall with an aggressive approach to malware but they did their risk analysis and denied my request.

            They signed off on their rejection, so I was CYA.

            Last I heard they bought "ransomware insurance."

            I don't

        • by Teun ( 17872 )
          I wonder how you got your nickname but I can guess...

          My ex is a lawyer and senior partner in a law firm, whatever they do on the company computers needs to be billed to the relevant client and software is installed to keep the timing.
          Yet they can disable this tracker when they take their break and mail and surf with their companies or own account.
          The actual lawyers in the company have a two-level mail address, their.name@lawfirm.com where all is monitored and their.name.direct@lawfirm.com that is unmoni
          • You guessed wrong on the nickname.

            I know that you know that we each make up our own nickname and that the nickname is not, "given."

            I refer you to Dave Barry.

            Appreciate that it applies to you.

            regarding your post: You said what I said, except you exited too hard.

            Terminal events were set by my employer; not you.

            Individual employees are seldom liable for damages related to their work positions.

      • It really sounds like an awful way to live. I wouldn't work at such a place

        You could have just told us you were unemployed. No need to go about it in such a roundabout way.

        But seriously you are being watched. If you're not, let me know who your employer is because they have laughable IT security if that's the case.

      • I travel multiple times a week and, yes, I carry a second, personal laptop. There was a time when we were a smaller company and had more liberal policies. But even if I found myself in that situation again, I don't think I'd go back to carrying just one laptop. They just aren't that heavy and it's well worth it not to mix work and personal stuff. Or for short trips, just use your phone. There's really no reason to have work and personal stuff even on the same machine.
  • by forkfail ( 228161 ) on Tuesday September 05, 2017 @10:08AM (#55140889)

    As soon as it becomes impossible for an organization to maintain complete control of the communications on it's own networks, connections to other networks, and data transfers to and from those external networks, you have given carte blance to those who would steal company secrets, data, and technology.

    This is insane. Folks have cell phones that they don't have to put on corporate/company networks. Use that for personal.

    • Devil's advocate:
      Cell phones are not allowed as they can be used to exfiltrate data.

      Now of course in an environment that strict I would generally presume two things:
      1) In the controlled environment there is a *hard* firewall with default deny to protect the systems.
      2) There are other systems (possibly in a different physical location) that can access the internet at large and are available on break times.

    • by AmiMoJo ( 196126 )

      If an organization is reliant on having complete control of its network for security then it's fucked anyway. Real security has layers. If your security can't survive one phishing email that uses some zero day exploit, or someone connecting an infected laptop to the wifi (e.g. when they get back from a trip), if you ban any equipment you can't totally control... You are both reducing productivity (which IT is supposed to enable) and failing to secure the company systems.

      Anyway, in this case the guy was just

  • The ruling aside, there's no better way to avoid workplace communication monitoring than to use a smartphone with mobile data network connection. Most plans have more than enough data to give you everything you need while you're at work. It's pointless and counterproductive on so many levels to log into anything personal on work machine.
  • That this was more than a couple emails to family when working late hours, it was 10 years ago, so ya Blackberry's were out, Iphone just getting started, if it was just a quick email saying hi to brother across the country I would be tempted to have some sympathy for the guy, but appears to be flagrant abuse.

  • Why would you even do that? Not smart.
  • As a company, or someone wishing to start one, has to deal with more and more regulation, when do they just shrug?
  • and Liberty

    both of which are lacking in America, but still exist in the EU

  • Back in the years of the BBS, system owners/operators had to display a message to their users when they logged in about the Electronic Communication Privacy Act of 1986 and specifically say if they could in fact guarantee the user's privacy for email, chat logs, etc. I am not able to find the exact text that was displayed, sorry.

  • Email? IM? (Score:4, Interesting)

    by nine-times ( 778537 ) <nine.times@gmail.com> on Tuesday September 05, 2017 @12:06PM (#55141641) Homepage

    From the summary, I had assumed that this was a standard case of a company accessing a person's email that was sent through that company's own mail server. I was pretty much ready to side with the employer. If you send an email through your company's mail server, you should expect that someone might view that email. Even if the employer isn't snooping, there are any number of reasons why someone at the company may need to review your work emails. However, the article states:

    The company had presented Barbulescu with printouts of his private messages to his brother and fiancée on Yahoo Messenger as evidence of his breach of a company ban on such personal use.

    So that makes it sound like this guy was using a personal Yahoo Messenger account. So that kind of takes me in the other direction, in favor of the employee's right to privacy. As a general rule, I don't think that your company should have the right to access your personal email/IM accounts, even if you happen to access them on work devices.

    However, that doesn't really explain how they got access to his chats, unless they were stored on his work computer. I don't feel comfortable saying that a company shouldn't be allowed to review the contents of a company-owned computer. And this is further complicated by the fact that the employee stated, in writing, that the account was being used solely for work purposes. In that case, I could see an argument that the account is a work account, not a personal account, and so the employer should be allowed to access it.

    In any case, I think there's some space between "what an employer should be legally allowed to do" and "what an employer should do". Even if employers can spy on employees and review private email, they should try to avoid reading anything that's not business related.

    • So that makes it sound like this guy was using a personal Yahoo Messenger account. So that kind of takes me in the other direction, in favor of the employee's right to privacy. As a general rule, I don't think that your company should have the right to access your personal email/IM accounts, even if you happen to access them on work devices.

      Work devices are work devices. You want a personal device, carry a personal device. I don't side with the employee in this case. IT security involves dealing with threats and sometimes those threats can be internal as well.

      That said either side of an argument is usually painted in rose. The reality is probably:

      a) the guy was caught transmitting something sensitive.
      b) the guy was seriously slacking off and spending half the day on personal stuff.
      c) the guy was toxic to the company and they were looking to an

    • by dissy ( 172727 )

      So that makes it sound like this guy was using a personal Yahoo Messenger account. So that kind of takes me in the other direction, in favor of the employee's right to privacy. As a general rule, I don't think that your company should have the right to access your personal email/IM accounts, even if you happen to access them on work devices.

      It can be a very fine line, but as the steward of an employers data, networks, and security policy, IT staff are between a rock and a hard place here.

      The company is legally responsible for vetting contractually and/or legally burdened data from leaving any internal compartmentalized or secured areas to outside networks such as the Internet.

      There is really only two ways to do this.
      A) Monitor the data egressing the network, or
      B) Disallow any and all types of general network access that would permit this in th

      • The company is legally responsible for vetting contractually and/or legally burdened data from leaving any internal compartmentalized or secured areas to outside networks such as the Internet.... In the end I very much worry laws like these will less protect an employees privacy and more simply force companies to block any and all such privileges in the first place

        Yeah, it is a bit complicated. The need for security varies from industry to industry, and business to business. In many cases, the best option is just to treat employees as trusted adults. Or more to the point, to deal with the need to secure data on a different level, preventing employees from accessing it in the first place rather than trying to police what they do with it. That's generally a better approach, since once the data is available to people, they might find some way to share it.

        There's al

    • by Teun ( 17872 )
      I'm not 100% sure but believe to remember from a few years ago when this thing was in another court that he was using a company account designated for client contact to communicate with his family.
  • In Germany (part of the EU) the ruling is like this:
    An employer has to tell the employee (ideally based in the contract) if company e-mail and equipment is for business use only. This has to be true for all employees.

    If an employer does not provide that Information ruling states that the employer has to accept that e-mail and equipment is used for personal matters. The only question here is how much - as in if the employee manages to fullfill his 8 hours of work per day and lets say adds 1 hour personal use

If all the world's economists were laid end to end, we wouldn't reach a conclusion. -- William Baumol

Working...