European Court Rules Companies Must Tell Employees of Email Checks (reuters.com) 103
Companies must tell employees in advance if their work email accounts are being monitored and such checks must not unduly infringe workers' privacy, the European Court of Human Rights ruled on Tuesday. From a report: In a judgment in the case of a man fired 10 years ago for using a work messaging account to communicate with his family, the judges found that Romanian courts failed to protect Bogdan Barbulescu's private correspondence because his employer had not given him prior notice it was monitoring his communications. Email privacy has become a hotly contested issue as more people use work addresses for personal correspondence even as employers demand the right to monitor email and computer usage to ensure staff use work email appropriately. Courts in general have sided with employers on this issue.
I work in IT (Score:4, Insightful)
So I'm going to assume they can and will read anything I do at work and act accordingly.
Re: (Score:3)
So I'm going to assume they can and will read anything I do at work and act accordingly.
Yeah, shouldn't that be the base assumption? Even if it's not actively being monitored or has ever been it has the potential to be and can at least be checked up on.
Grey area: ruling makes sense (Score:3)
Yeah, shouldn't that be the base assumption?
No. It might be the cautious assumption but that does not mean that someone who expects some level of privacy has unreasonable expectations. There are many different levels of private email correspondence. For example, if I email my wife to let her know that I will be home late because of work I would not expect my employer to fire me for personal use of work email. However, if you tried to run a small business of eBay selling things through your work email then yes I would expect any employer would likely
Re: (Score:2)
if I email my wife to let her know that I will be home late because of work I would not expect my employer to fire me for personal use of work email
You miss the point. The base assumption should be that your employer will know that you mailed your wife to let her know that you'll be home late.
Re: (Score:2)
For example, if I email my wife to let her know that I will be home late because of work I would not expect my employer to fire me for personal use of work email. However, if you tried to run a small business of eBay selling things through your work email then yes I would expect any employer would likely fire you for that!
And how would you expect the employer to know you are doing either? Because they have access to your work email and the ability to look through it. For example, say you work at super company x. You email your wife to say you'll be late or to get milk, some colleagues or even friends about non work related matter. Not really a big deal unless you take the piss. Now say rival company y comes to you and wants some trade secrets in exchange for bags of cash, you wouldn't dream of sending that from your work ema
Re: (Score:3)
So I'm going to assume they can and will read anything I do at work and act accordingly.
Yeah, shouldn't that be the base assumption? Even if it's not actively being monitored or has ever been it has the potential to be and can at least be checked up on.
No, it shouldnt. And in Europe a reasonable expectation of privacy is a codified right.
Re: (Score:3)
Well, no, not end of story at all. The story includes regulatory compliance, which covers things like protecting consumer data, fiduciary responsibility, obligations against modern slavery and various audit controls.
Failing to monitor work email accounts is in some situations actually illegal.
Re: (Score:3)
As Carewolf writes in the EU (that includes Romania) there is the codified Expectation of Privacy.
Virtually all companies that use a law office for their contracts will have their employees sign a paper that they understand the company supplied mail and Internet access can be monitored.
Such a contract would include that you can to an extend use it for private conversations, abuse will not be accepted.
Another way to look at it is when the mail address includes
Re: (Score:3)
No it's most certainly not end of story.
As Carewolf writes in the EU (that includes Romania) there is the codified Expectation of Privacy.
Virtually all companies that use a law office for their contracts will have their employees sign a paper that they understand the company supplied mail and Internet access can be monitored.
The details might depend on the country, but in Germany such contract as only legal and valid if they are exceptions, that is if they only apply to a minority of employees for whom special consideration makes such a contract necessary. If forced on everybody it is not just not valid, it is outright illegal.
Re: (Score:2)
Work email accounts belong to the company, end of story. To assume otherwise is delusional.
Nope. Not anywhere in the EU.
Re: (Score:2)
Re:I work in IT (Score:4, Informative)
+1 ...
And why on Earth would someone conduct private business on a company email account.
Now if they sniff my private mails going to my phone through an external provider, or my home email, that would be a different story.
But again, I wouldn't use the company's wifi to even receive private mail or access private stuff. For that, you have your data plan.
And yes, a company computer, a company connection and a company account DOES BELONG to the company, thus should and will be monitored by the company.
Re: (Score:2)
>And why on Earth would someone conduct private business on a company email account.
Because you're working late and you need to tell your wife that you're going to be late home, and your employer isn't a douche so is fine with you sending personal emails and has said so.
Not every employer has a scorched earth policy regarding these things.
Re: (Score:2)
My company has a "guest" WiFi and a company WiFi. I *assume* both are monitored, and I *assume* that I have no privacy on either.
In the case of the guest WiFi I view it no different than the WiFi at a starbucks. I'll use it, but only through a VPN using a pre-shared key and strong encryption. My company WiFi I won't use at all, other than to connect with my company provided computer.
Re: (Score:3)
And why on Earth would someone conduct private business on a company email account.
Have you ever met people? They're idiots.
Re: (Score:2)
It's actually in the company's interest to allow work computers to be used for private stuff.
My boss has my private email address. Once or twice I've answered questions while on holiday. Very often something I ready during lunch break for my own private amusement turned out to be very helpful for the job. All that would go away if they suddenly got strict about computer use, although I'd probably jump ship anyway in short order.
A little trust goes a long way.
Re: I work in IT (Score:2)
Re: (Score:2)
Re: (Score:3)
From TFA:
The company had presented him with printouts of his private messages to his brother and fiancée on Yahoo Messenger as evidence of his breach of a company ban on such personal use.
Barbulescu had previously told his employer in writing that he had only used the service for professional purposes.
So it's not even email, just Yahoo chat. The issue here is not that he lied about using the service for work only, he could still be fired for that, it's that in the EU an employer can't simply read everything on its network because the users of that network have some small expectation of privacy.
Don't misunderstand this. Network monitoring for detection of intrusion, scanning emails for viruses and spam, that sort of thing is still fine. Even reading employee emails when there is some good reason
Re: (Score:2)
+1 ...
And why on Earth would someone conduct private business on a company email account.
Some companies are blocking the common webmail providers.
It's done for IP security (makes it a little more difficult to send out company confidential information), and also to block the main portal for entry of malware.
If a person feels they must absolutely must communicate with family/friends/commie spys/etc, they can use the phone.
Also, there's always dingbats that get confused and will use both the company email and google, yahoo, etc for business mail which leads to all kinds of problems.
Re: (Score:2)
Most people in the UK (and I'd guess the rest of the EU) have a personal telephone with them even when at work, so it's very possible to contact people through telephony without using any company equipment at all.
Although of course, most phones these days allow use of private email too, so it's odd to suggest ringing people you want to email..
Re: (Score:2)
The company's toilet, the plumbing connection, and the water flowing through it all "DO BELONG" to the company as well.
Re: (Score:1)
i agree its their hardware and their lines, just like they get the right to hire and fire whoever they want for whatever reason, no matter how idiotic
i mean its all nice to be pc about it, but if your employer
Re: (Score:2)
Good luck controlling what is sent to you
Don't do that with your work account (Score:2)
Privacy is one thing, and most businesses--even Federal agencies--confer a limited personal use policy, allowing you to browse the 'net and do things with their equipment as long as you do your job. This was actually directly described on the MOTD at log-in at the Social Security Administration. There's a reasonable expectation of privacy; it's also their system, and what you do is subject to inspection.
So yeah, they won't suck up your cookies, hack your gmail, and snoop your bank accounts; they will re
Re: (Score:3)
And that's the reason why this company lost: they didn't tell the employee about the monitoring.
So there'll be a single line added in an obscure place to the pile of paper you're required to sign upon being hired, without even an opportunity to actually read what you're signing.
Re: (Score:3)
No, because the EU laws don't allow for that douchebaggery to exist.
I work in the EU and there are big signs at entry doors warning that the place is being monitored through CCTV,
We have signed a separate document which details what exactly is being monitored, how and for how long, with a list of cases where monitoring would happen, etc.
I do know that all files on my company-issued laptop are scanned and their file names (NOT the contents) are saved for later scrutiny if need be, but in order for that scrut
Re: (Score:2)
Correct. Though in exceptional circumstances you can still monitor the emails without telling the employee.
This was a super narrow judgement, tell the employee that work email accounts will be monitored and you are in the free and clear. I would add that any sensible employer would already be telling their employees that anyway.
Re: (Score:2)
As the chairman of our works council I've been in that situation, there was indication one of our lab managers was in the process of setting up a competing lab in his own name.
He was released a day later, the proof was overwhelming, what a stupid idiot to use company mail for such a dirty trick.
Re: (Score:1)
Re: (Score:2)
I post to /. on my company machine.
I don't connect to FB or my google account, however.
Reasonable use doesn't mean private use ;)
Why would this matter ? (Score:2)
Who would use the mail box of the office for something personal ?
At our day and time, the smartphone is more than enough for the odd 3 lines messages for emergencies.
If you need more, do it at home, not on your company's dime.
Re: (Score:2)
Re: (Score:2)
I specifically said "3 lines for emergencies" : life happens (or death, as the case may be).
Taking more than a a minute is where I draw the line.
But maybe you have a different perception of what construes an emergency.
Re: (Score:2)
That depends:
Is it on a designated/designatable break? Then no, you're not on your company's dime.
Are you an exempt employee and are you achieving what you were tasked to do? Then no, you're not on your company's dime.
Are you hourly and not on break, or exempt and it's interfering with your ability to complete your task? Then *yes* it is on your company's dime.
Pit it in writing ... (Score:3, Insightful)
... in a Technology Administrator Policy and designate an administrator.
I'm retired now, and when I hired on at a law firm 20 years ago, I wrote that policy and amended it as things changed.
I blocked shit like match.com, Facebook, Twitter, etc.
I listed taboos like using business email for non-business purposes and I stated clearly that, at the direction of the partners, I would be monitoring emails, browser history, etc.
For each and every new hire, I read the Policy to them in the kitchen area and invited them to ask question then, and at any other time during their employment.
The last page had a place for two signatures/dates:
- Theirs, acknowledging that they participated in the counseling
- Mine, acknowledging same.
I got a few calls regarding wrongful termination during the years and, in one matter, the fired employee said, "Well, everyone else was doing it."
I told the work comp lady to add, "Line item 6.1.a, 'Report any violations or suspected violations of this policy to the Technology Administrator."
Re:Pit it in writing ... (Score:5, Insightful)
I got a few calls regarding wrongful termination during the years and, in one matter, the fired employee said, "Well, everyone else was doing it."
I told the work comp lady to add, "Line item 6.1.a, 'Report any violations or suspected violations of this policy to the Technology Administrator."
So assuming he wasn't exaggerating you amended a policy nobody followed with another over-the-top rule for them to ignore, brilliant. I've read a few policies like that, in theory they're great. In practice nobody knows, because they're so anal the only real purpose they serve is as legal ammunition against troublesome employees. For example I read my organization's phone application guidelines, install any non-IT approved app and you take full legal liability for any damage it can cause. Meanwhile using it as your personal phone too is encouraged and 95%+ do exactly that, nobody bats an eye at installing anything. It's only there because if shit hits the fan they can throw you to the wolves and blame you for violating policy.
Re: (Score:3)
It's possible that you don't grok it.
The longer version, that should be apparent, is that a violator got three strikes.
Well, 4.
As a coworker, I'd whisper in their ear that what they were doing was a violation and to stop.
For each violation, I simply witnessed the reprimand given by a partner. That violation was written up, with proof attached; signed by the violator and me.
That went into their folder.
Third time was a charm.
Example:
Kara downloaded Picasa, a photo editing thing from Google. "Downloads are pro
Re: (Score:2)
Sounds like an incredibly effective way to destroy productivity. All requests, even for trivial things, have to go through one person, or at least through the IT department.
Maybe it's different at law firms, but as an engineer it would be impossible to do my job working that way.
Re: (Score:2)
So, at work, you need Facebook, match.com, and you need to use your work email to forward photos you took with your digital camera?
Re: (Score:2)
Don't need facebook or match.com, though I wouldn't be surprised if someone needed to do their job (social media and the like).
But digital camera to computer? Yes. Because you wouldn't believe how many support cases are simplified if the client simply takes a photo of the problem. Or in our case, we often photograph circuit boards and point out certain things. Like serial number
Re: (Score:2)
Did you even read the fucking part about "personal photos," and "Picasa?"
You're trolling.
I get that.
Bye.
Re: (Score:2)
No, I grok it just fine and I think we're perfectly in agreement on how this works.
"Downloads are prohibited without prior permission from the Technology Administrator."
Not just applications, but downloads in general? Am I in violation if I download a PDF?
"Employees will not use personal technology at work (...)
So if I check my personal cell phone while at work...
and will not make changes to any of the Firm's technology without prior permission from the Technology Administrator."
I can't even parse this, am I allowed to turn on/off my computer?
She was on match.com (this was the trigger for the firewall block, per my recommendation) on a Friday from 2 pm to 5 pm.
And you religiously enforce this for everyone who spent two minutes checking a non-work related item?
It was all documented, signed by her, and she was let go.
Which was my point.. it's not a policy you expect people to follow, it's a policy everyone violates so you can fire those y
Re: (Score:2)
Any chance at all that you actually support any of the Policy?
It saved our ass for years.
We used to simply include it in the hire package.
We discovered that, like most things in that package, people were like, "OK, whatever. When's vacation, where's the bathroom and kitchen and stuff."
And, it's not like we hired people just so we could fire them.
Recall that I personally talked to each new hire.
It was a friendly, sensible conversation that a few did not want to follow, opting for termination instead.
Re: (Score:2)
the only real purpose they serve is as legal ammunition against troublesome employees
Yes and? This appears to be entirely the point of the story. Tell the employees that you have a policy and you're good to go.
Re:Pit it in writing ... (Score:4, Insightful)
That sounds like a horrible, Orwellian place to work.
Did you give employees laptops and phones for travel? Did they routinely turn them off to prevent you activating the camera/microphone and carry a second personal laptop?
It really sounds like an awful way to live. I wouldn't work at such a place, I'd only go somewhere that doesn't routinely spy on me and largely doesn't care as long as I get stuff done. Even if I didn't care about privacy, I'd assume it was a sign that there were other serious problems with the management style and working environment.
Re: (Score:2)
It really sounds like you want to read the whole goddam Technology Administration Policy.
For things that seem whack to you, fill in the fucking blanks with the common sense you would include.
Recall that I counseled each new hire, personally, one-on-one.
We're a LAW FIRM.
Things have to be tight all around.
Re: (Score:2)
You can be tight without being a complete twat about it.
I know law firms are full of people professionally trained to be utter cunts but that doesn't have to extend to the IT staff. I work for a company with severely more stringent information security requirements than a law firm and we do this scary thing called making it a great place to work.
You should consider giving it a go some time.
Re: (Score:2)
I let business run the IT department.
My partners at the law firm called the shots and I made recommendations that protected the Firm.
Not all were accepted.
They got hit with ransomware shortly after I retired because one of the lawyers phished on "nude photos" of some celeb.
I recommended a more expensive firewall with an aggressive approach to malware but they did their risk analysis and denied my request.
They signed off on their rejection, so I was CYA.
Last I heard they bought "ransomware insurance."
I don't
Re: (Score:2)
My ex is a lawyer and senior partner in a law firm, whatever they do on the company computers needs to be billed to the relevant client and software is installed to keep the timing.
Yet they can disable this tracker when they take their break and mail and surf with their companies or own account.
The actual lawyers in the company have a two-level mail address, their.name@lawfirm.com where all is monitored and their.name.direct@lawfirm.com that is unmoni
Re: (Score:2)
You guessed wrong on the nickname.
I know that you know that we each make up our own nickname and that the nickname is not, "given."
I refer you to Dave Barry.
Appreciate that it applies to you.
regarding your post: You said what I said, except you exited too hard.
Terminal events were set by my employer; not you.
Individual employees are seldom liable for damages related to their work positions.
Re: (Score:2)
It really sounds like an awful way to live. I wouldn't work at such a place
You could have just told us you were unemployed. No need to go about it in such a roundabout way.
But seriously you are being watched. If you're not, let me know who your employer is because they have laughable IT security if that's the case.
Re: (Score:2)
Invitation To Theft (Score:3, Insightful)
As soon as it becomes impossible for an organization to maintain complete control of the communications on it's own networks, connections to other networks, and data transfers to and from those external networks, you have given carte blance to those who would steal company secrets, data, and technology.
This is insane. Folks have cell phones that they don't have to put on corporate/company networks. Use that for personal.
Re: (Score:2)
Devil's advocate:
Cell phones are not allowed as they can be used to exfiltrate data.
Now of course in an environment that strict I would generally presume two things:
1) In the controlled environment there is a *hard* firewall with default deny to protect the systems.
2) There are other systems (possibly in a different physical location) that can access the internet at large and are available on break times.
Re: (Score:1)
Why is this marked as insightful? If you as an employer have so little trust in your employees that you need complete control of the communications to stop stealing of company secrets, data and technology then a) you're going to fail to stop those leaks because there's too many other ways to get the data out and b) you're going to fail as a company because any employee worth their salt will go to a company that trusts them.
Are you even 14 years old? 16? "Why don't you trust me" is a cry from misbehaving teenagers.
No. You can't trust everyone. It's a fact.
And it not so much evil people that you're trying to protect yourself from, it's stupid people.
Re: (Score:2)
there's too many other ways to get the data out
You'd be surprised how fucking hard it can get though, after even the most basic of security constraints are put in place.
I have access to offices in multiple countries globally and I still can't get into a specific part of one of our local offices, because the team in there have deep access to very sensitive data.
That team are not trusted with that access. They're monitored, audited, logged and educated. They're vetted when they're hired, and know that they aren't trusted.
They don't leave because they resp
Re: (Score:2)
If an organization is reliant on having complete control of its network for security then it's fucked anyway. Real security has layers. If your security can't survive one phishing email that uses some zero day exploit, or someone connecting an infected laptop to the wifi (e.g. when they get back from a trip), if you ban any equipment you can't totally control... You are both reducing productivity (which IT is supposed to enable) and failing to secure the company systems.
Anyway, in this case the guy was just
Re: (Score:2)
No need to use work email due to Smartphones (Score:2)
Going to assume (Score:2)
That this was more than a couple emails to family when working late hours, it was 10 years ago, so ya Blackberry's were out, Iphone just getting started, if it was just a quick email saying hi to brother across the country I would be tempted to have some sympathy for the guy, but appears to be flagrant abuse.
2017: Using work email for personal business (Score:2)
Harder to create jobs? (Score:2)
It's called Freedom (Score:1)
and Liberty
both of which are lacking in America, but still exist in the EU
Oddly Enough.. (Score:1)
Back in the years of the BBS, system owners/operators had to display a message to their users when they logged in about the Electronic Communication Privacy Act of 1986 and specifically say if they could in fact guarantee the user's privacy for email, chat logs, etc. I am not able to find the exact text that was displayed, sorry.
Email? IM? (Score:4, Interesting)
From the summary, I had assumed that this was a standard case of a company accessing a person's email that was sent through that company's own mail server. I was pretty much ready to side with the employer. If you send an email through your company's mail server, you should expect that someone might view that email. Even if the employer isn't snooping, there are any number of reasons why someone at the company may need to review your work emails. However, the article states:
The company had presented Barbulescu with printouts of his private messages to his brother and fiancée on Yahoo Messenger as evidence of his breach of a company ban on such personal use.
So that makes it sound like this guy was using a personal Yahoo Messenger account. So that kind of takes me in the other direction, in favor of the employee's right to privacy. As a general rule, I don't think that your company should have the right to access your personal email/IM accounts, even if you happen to access them on work devices.
However, that doesn't really explain how they got access to his chats, unless they were stored on his work computer. I don't feel comfortable saying that a company shouldn't be allowed to review the contents of a company-owned computer. And this is further complicated by the fact that the employee stated, in writing, that the account was being used solely for work purposes. In that case, I could see an argument that the account is a work account, not a personal account, and so the employer should be allowed to access it.
In any case, I think there's some space between "what an employer should be legally allowed to do" and "what an employer should do". Even if employers can spy on employees and review private email, they should try to avoid reading anything that's not business related.
Re: (Score:2)
So that makes it sound like this guy was using a personal Yahoo Messenger account. So that kind of takes me in the other direction, in favor of the employee's right to privacy. As a general rule, I don't think that your company should have the right to access your personal email/IM accounts, even if you happen to access them on work devices.
Work devices are work devices. You want a personal device, carry a personal device. I don't side with the employee in this case. IT security involves dealing with threats and sometimes those threats can be internal as well.
That said either side of an argument is usually painted in rose. The reality is probably:
a) the guy was caught transmitting something sensitive.
b) the guy was seriously slacking off and spending half the day on personal stuff.
c) the guy was toxic to the company and they were looking to an
Re: (Score:2)
So that makes it sound like this guy was using a personal Yahoo Messenger account. So that kind of takes me in the other direction, in favor of the employee's right to privacy. As a general rule, I don't think that your company should have the right to access your personal email/IM accounts, even if you happen to access them on work devices.
It can be a very fine line, but as the steward of an employers data, networks, and security policy, IT staff are between a rock and a hard place here.
The company is legally responsible for vetting contractually and/or legally burdened data from leaving any internal compartmentalized or secured areas to outside networks such as the Internet.
There is really only two ways to do this.
A) Monitor the data egressing the network, or
B) Disallow any and all types of general network access that would permit this in th
Re: (Score:2)
The company is legally responsible for vetting contractually and/or legally burdened data from leaving any internal compartmentalized or secured areas to outside networks such as the Internet.... In the end I very much worry laws like these will less protect an employees privacy and more simply force companies to block any and all such privileges in the first place
Yeah, it is a bit complicated. The need for security varies from industry to industry, and business to business. In many cases, the best option is just to treat employees as trusted adults. Or more to the point, to deal with the need to secure data on a different level, preventing employees from accessing it in the first place rather than trying to police what they do with it. That's generally a better approach, since once the data is available to people, they might find some way to share it.
There's al
Re: (Score:2)
In Germany .. (Score:1)
In Germany (part of the EU) the ruling is like this:
An employer has to tell the employee (ideally based in the contract) if company e-mail and equipment is for business use only. This has to be true for all employees.
If an employer does not provide that Information ruling states that the employer has to accept that e-mail and equipment is used for personal matters. The only question here is how much - as in if the employee manages to fullfill his 8 hours of work per day and lets say adds 1 hour personal use