0wnz0rsh!p

The CIBC continues to tap rich new veins in their ongoing comedy goldmine.

Key paragraph:


“A lot of people on the Street are going to have a few sleepless nights, going through loads of e-mail to delete them when they hear about this case,” said Don Johnston, a technology and privacy specialist at Toronto law firm Aird & Berlis. “But what is so terrifying to people is that they can’t really delete their e-mails. They could be stored in any number of places.”

By which they mean, of course, that a lot of people on the Street are going to wonder if the unprofessional, irresponsible or treasonous things they said through a system they don’t clearly understand, that their employer owns outright and pays very smart people to run might possibly come back to haunt them.

Gee, you think?

As an admin I don’t care if you’re reading Metafilter over your coffee break, blowing off some steam with a flash game while you’re on the phone or occasionally e-mailing your great-aunt during office hours, and if it makes your life a little bit easier while you’re doing your job,good on ya. I don’t care and if you’re doing your job nobody ever will. But if you don’t think that every last one or zero that crosses every single wire on your entire corporate network can be logged and archived, you’ve got a big ugly ol’ other thing coming.

One place I worked for way back kept snapshots of people’s personal folders once they found anything inappropriate (read: pr0n) in them, not because they weren’t doing their jobs and not because they were going to get fired, but so that if management felt like arbitrarily firing them in the future, they always had a trump card around to deal with wrongful dismissal lawsuits. As far as I know those snapshots were never deleted.

Which is all to say, when you’re using work machines, you should act like you’re at work.

Sleep tight.

17 Comments

  1. Jim Millen
    Posted January 10, 2005 at 10:44 am | Permalink

    It would be nice if there was a foolproof way to educate all email users about this sort of thing, but I’m not going to hold my breath.

    My biggest related peeve is these periodic complaints (sometimes even in otherwise respectable publications) that employers reading your email is *gasp* an Invasion of Privacy! Idiots.

    Oh, and since I kind of missed the last post – congratulations on the engagement!

  2. Mike Hoye
    Posted January 10, 2005 at 3:45 pm | Permalink

    You know, an old Jujutsu instructor once told me that there’s only one way to fight ten guys. He said it’s pretty straightfoward: you have to break the first one, fast. Not hit or push away: break. Snap, scream, drop. Make sure that nobody wants to be next, and nobody will go next. In short, if they don’t know what respect is, make sure they know fear.

    Hey, and thanks. I’m pretty happy about it.

  3. Melanie
    Posted January 10, 2005 at 6:05 pm | Permalink

    Pardon my jumping in to fill my usual role as the person everyone disagrees with.

    I must here make a case for “reading my email IS an invasion of my privacy”. Which is not to say that I shouldn’t act like people might do it, just like I should act like someone might break into my house and read my diary (or something a little easier than that, but equally wrong). That doesn’t make it right. Even if there’s incriminating evidence there that, say, I killed someone. Or take an example a little closer in type – listening in on my phone line. It’s easy to do if you have the right technology and know-how. But it’s not legal or right unless you’ve got a warrant. Would you support the right of employers to stick cameras in the bathroom stalls of their washrooms to make sure employees aren’t slacking off instead of doing their business? It’s the same thing. There are better ways of checking to see if employees are being productive. Like, do they produce something?

    As technology rules our lives more and more, and the ability to collect, filter, and store information increases, it will become increasingly important to define as a society the right to protect information about oneself, or we are going to become a society ruled by fear of Big Brother. This is an issue very close to home for those of us living in a country where our rights are being systematically stripped away in the name of national security.

  4. Jim Millen
    Posted January 10, 2005 at 7:23 pm | Permalink

    Don’t get me wrong, I’m pretty keen on having a right to privacy. But a company email account is usually there for business purposes. It usually takes the form $NAME@$COMPANY.com, and as such any misuse can, and does, affect the reputation of the company in question. Furthermore it is a service that costs real money to run – and if somebody is, say, emailing movies to their friends then it is possibly going to have a detrimental effect on the overall network performance. (Thinking more of small businesses here, admittedly.)

    In light of the above, and the fact that the company owns the computer, the servers, the bandwidth etc., I have no problem with the assumption that work email will be monitored. If I want private email, I can use my own internet connection. Oh, and PGP.

    I agree that if a company is relying entirely on email monitoring to check their staff, then it’s probably a damn poor company. The majority of companies allow a certain amount of leeway with use of email, and the majority of staff respect that and do not abuse the system. I think the company also has a duty to use monitored email in an ethical manner. However, this doesn’t alter the fact that your employer owns the email you send, and this is usually spelled out in email AUPs. Why shouldn’t they read it?

    To take your diary example above, of course it would be wrong for someone to enter your home and read your personal diary. But say you kept a work diary that was issued to you by the company, and was intended to be used for keeping track of meetings, deadlines, whatever. Say it was company regulations that each employee kept these diaries on their desks. Now, say you record personal information in this diary. A colleague needs to check a time of your meeting so they look in the diary – but find your personal notes. Is this an invasion of privacy? I don’t think it is. And it is much closer to the situation of work email.

    Personal email is another matter. If you are paying someone for email services, then you have a right to not have that email monitored. That this is not often the case is a reflection of poor management of technology and devious small-print AUPs.

  5. Melanie
    Posted January 10, 2005 at 8:03 pm | Permalink

    I can see an argument for making clearly work-only email accounts monitored (the same way that the telephone lines of custumer service representatives are monitored – I have no problem with this). The problem is I guess that there really isn’t a clear boundary between work and personal email accounts in many settings, e.g. academia. Furthermore, if I am reading my personal email at work, this is still passing through the system and could be recorded (presumably). Yes, I could use PGP, but we’re talking about whether employers should read email, not whether they can. (Employers could simply ban encrypted email.)

    In my mind, the problem is that email wades the murky grey between conversation and document. We view it as transient because it is fast and convenient. But by its nature it is much more permanent than your typical conversation. It calls to mind an episode of Law and Order in which a deaf person’s telephone transcript was admitted into evidence without a warrant to record the call. I don’t remember whether it was thrown out or not in the episode, nor do I know how the real-life law falls out on that issue. But you see my point.

    Clarification, please: What’s an AUP? Some sort of company policy statement regarding the use of email?

  6. Mike Hoye
    Posted January 10, 2005 at 10:36 pm | Permalink

    Acceptable Use Policy.

    The problem is I guess that there really isn’t a clear boundary between work and personal email accounts in many settings, e.g. academia.

    I bet that you signed an AUP that pretty clearly spells out what constitutes abuse when you signed on for your school and work accounts. Once you’ve signed that, I doubt it matters much what you think, compared to what they can demonstrate you’ve done.

    P.S: Mel, encrypting your e-mail won’t help. Sure, if you’re routing it through compromised cable from secure endpoints, that’ll help, but we’re talking about a network that your employer 0wnz end to end.

  7. Jim Millen
    Posted January 11, 2005 at 7:15 am | Permalink

    In my mind, the problem is that email wades the murky grey between conversation and document.

    That’s precisely the problem. There isn’t in fact any grey area at all here – emails sent through company accounts are company documents, pure and simple. The fact that they are stored electronically makes no difference. As company documents, it is wholly within the company’s rights to look at them if they so choose.

    The “company” I have been referring to could equally be a university, or a charity, or any other organisation. My university, for example, makes it very clear that personal email is a privilege, not a right, and if inappropriate usage is made, that service will be removed. Several people a while back were restricted to campus-only email for precisely this reason.

    Now, the real issue here is that people believe there is a grey area in these matters. This is down to a combination of work norms, ease of use of software, culture, and signing AUPs without properly reading them. Hence my comment earlier about properly educating email users – it would be nice. Not very likely, though.

  8. Melanie
    Posted January 11, 2005 at 12:58 pm | Permalink

    Hmm. I probably did sign something along those lines, yes, but signing something saying I will use the system appropriately doesn’t intrinsically mean I signed something giving them the right to monitor to enforce it. I send my email through a department-internal mail server and receive email through same onto my personal/work laptop, which I administer (poorly of course). Of course, in order to use the .edu address, my mail is routed through their system – but they don’t control the endpoints.

    I’m not arguing with you about the current status of email in the law. As far as I know, you’re right that it’s treated as a document. But the law has its head totally up its @ss when it comes to technology, especially computers. Consider copyright/patent/whatever law and software code. Last I checked (admittedly this was a few years ago, but I think I’d have heard if it had all been straightened out, given my social circles) this was a complete mess. It’s the law that needs to catch up with society, not vice versa.

  9. Mike Hoye
    Posted January 11, 2005 at 1:15 pm | Permalink

    In general, signing something saying that you’ll act appropriately doesn’t automagically mean that you’re consenting to be monitored. Unfortunately, this hypothetical general case you’re referring to doesn’t actually exist. Every AUP I have ever seen specifies what is and isn’t appropriate, and what monitoring actions you can expect to take place as a matter of course.

    For example, If you signed the AUP at Brown while you were there, you signed a document whose scope includes “personally owned computers and devices connected by wire or wireless to the campus network, and to off-campus computers that connect remotely to the University’s network” and that specifies the conditions under which your account can be closely examined, including the very nebulous “determining if an individual is in violation of this policy”.

    In fact, they spell out very explicitly that “You should not expect email privacy when connected to the Brown University network.”

  10. Melanie
    Posted January 11, 2005 at 1:38 pm | Permalink

    Hmm, that’s interesting. What it actually says is: “You should not expect email privacy when connected to the Brown University network. University staff may inadvertently be exposed to email in the course of their work. In cases where information is inadvertently exposed, staff are required to keep the contents confidential. Remember that email is easily redistributed and may be read by people beyond the original recipient list.”

    My quick glance at the rest of that document, which you’re right, I probably did “sign” (click “I accept”) at some point without reading, indicates an attitude that I’m pretty content with. The tone is “We can’t guarantee privacy given the nature of the system, but we will do our best to respect your privacy, unless we think you’re doing something to screw us”. But I’ll point out, this tone suggests to me that Brown does in fact expect its users (staff, students and faculty) to use their account for personal email.

  11. Melanie
    Posted January 11, 2005 at 1:41 pm | Permalink

    Here’s another interesting section: “You have a reasonable expectation of unobstructed use of these tools, of certain degrees of privacy (which may vary depending on whether you are a University employee or a matriculated student), and of protection from abuse and intrusion by others sharing these resources. You can expect your right to access information and to express your opinion to be protected as it is for paper and other forms of non-electronic communication.”

  12. Jim Millen
    Posted January 11, 2005 at 1:55 pm | Permalink

    Ok, let me try something a little different. Say you owned a company. One day you start to receive complaints that somebody from your company is sending pornographic images, threatening emails, whatever. But you’re prevented by law from looking at files on email servers that you own in order to verify that this is correct. So you can’t in fairness fire or discipline the employee who is misusing the system. Would you genuinely be happy with a system such as this?

    I certainly don’t think that companies should casually allow their IT staff to dip into everyone’s email. There should be rigorous procedures in place to ensure email monitoring is carried out only when necessary, and is never disclosed outside the organisation, unless legally required. But it is the only way the company has of enforcing proper email usage, and as such it must remain within their rights.

    I doubt I’ll say anything more on the subject – if what I’ve said so far doesn’t convince you, I can’t imagine anything else will. Just for reference, I’m not some sort of ultra-authoritarian weirdo – I totally oppose, say, government monitoring of email without proper legal authorisation. In the case of companies, though, there is good reason for it.

  13. Jim Millen
    Posted January 11, 2005 at 2:01 pm | Permalink

    Hmmm, I posted that last before seeing the previous three messages. If you’re happy with the rights and obligations for both the University and the user outlined in the AUP Mike linked to, then I don’t think we have any disagreement.

  14. Melanie
    Posted January 11, 2005 at 2:15 pm | Permalink

    Yep, I think we’ve beaten this one to death. Thanks for point out that Brown AUP, Mike, it’s an interesting read.

  15. Mike Bruce
    Posted January 11, 2005 at 8:19 pm | Permalink

    I’m not a fan of monitoring type stuff. This particular thing brings to mind one of my favorite DBJ quotes (though it isn’t directly related:

    > If I send my employees an e-mail and one of them says that they havn't
    > seen it, is there a way to determine whether or not it has actually
    > been opened without recieving a reply to the message.
    
    Sure. Install video cameras covering all your computers. Make sure to
    bolt the monitors down where the cameras can see them. Wait for an
    employee to ``accidentally'' block the camera view, and then fire him,
    and make sure everyone knows why. Disable all forms of mail forwarding;
    the easiest way to do this is to cut off all access to the Internet.
    
    You might also be interested in http://www.phone-monitoring.dom and
    http://www.toilet-cameras.dom. I don't know if you've heard the ``we're
    the dot in .dom'' commercials; .dom is a new TLD aimed at PHBs who have
    embraced the dominator-slave paradigm of employee empowerment.

    I think I might be unreasonably taken by the phrase “dominator-slave paradigm of employee empowerment.”

  16. chad
    Posted January 13, 2005 at 1:57 pm | Permalink

    OK, so, barn, horse, etc. A few potentially interesting points..

    Here in These United States of Central North America, the `right’ to privacy has an unusual legal footing. Imagine that it’s being supported by an elephant, standing on one foot. Now imagine that the elephant is surrounding by lawyers, constantly poking at the elephant with punji sticks. If the lawyers spread out more or less evenly, the flinching elephant more or less remains balanced.

    Note: I tried to think of a way to make the analogy seem more `tortured’, but then I got lazy. I hope you get the idea.

    A key element in US legal cases involving invasion of privacy is the “reasonable expectation of privacy”. For example, a recent New York judge held that it was not an illegal invasion of privacy for the police to surreptitiously add a gps tracker to a car, and then follow the car, because the driver had no reasonable expectation of privacy as to the location of his vehicle on public roads. This specific case will probably be examined at higher levels for other reasons, but I think that it’s a good example of the importance of the concept in US privacy law. That’s why you see similar language in the Brown AUP (and in most others, as well).

    There are two other major influences that might be interesting to your discussion (unless everyone is tired of it, in which case nevermind :-):

    1.) Phone companies have more-or-less special status as `common carriers’ of materials that grants them legal immunity to the content carried, provided that they are totally agnostic as to those contents. This means that I can’t sue AT&T for providing Mike a means to harass me when he calls me repeatedly, insulting my dubious lineage, etc. For the most part, this `common carier’ status extends only partly or not at all to on-line systems, because it has a different basis in law (partially, the DMCA, in fact) and because on-line service providers generally *are* involved in content regulation, selection, creation, etc. This runs counter to many people’s intuition — many people feel like email, aim, web discussion boards, etc. are simply `new technology’ versions of the telephone. This conception is (yet?) not reflected by law.

    2.) In modern US experience, it is difficult to find such a `common carrier’ provider, even if you knew to look for one. Most services want to provide you content (for business and convenience reasons), and this makes them at least suspect for common-carrier status. Most institutions feel like their public and professional image is affected by use of their name (and often, brands, trademarks, service marks, etc), and act to protect it. This is no the same as `my employees should be using company resources for company business only’, and leads nearly everyone to a fairly restrictive AUP. These practices are pervasive, and, given current legal and corporate trends, are unlikely to change (in the USA, maybe a change to the DMCA will help, but don’t hold your breath).

    The issue becomes much more interesting when you leave the USofA and start looking at countries with more solidly established privacy rights, but it quickly becomes interesting in the “chaos is pretty” sense that often hits hi-tech cross- (or non-) jurisdictional questions. In `cyberlaw’ (how I hate that term…), jurisdiction is always a key question without anything even vaguely like an answer.

    So, assuming that you decide to care a lot, what can you do? Get something like PGP, and use it from your own computer. Maintain a separate `private’ address. Always read AUPs, or ask someone (typically an HR person) to explain them to you (although in the USA, this is useless in some states). Oh, also, `never do anything bad’.

  17. chad
    Posted January 13, 2005 at 2:02 pm | Permalink

    Gah! Sorry about the formatting.. Not sure what happened there.

    Obviously, I am incompetent.