backtop


Print 40 comment(s) - last by Shida.. on May 25 at 9:36 AM

"I always feel like somebody's watching me"...

Do you ever feel like someone is watching you, waiting for you to make a mistake?  Well if you're part of one of the 41 percent of largest U.S. companies that monitor their employees email on a regular basis, you might not be so crazy after all.

A surprising new survey is illustrative of the increasing loss of privacy on the internet, particular in public locations.  The company that published the study, Proofpoint, states that the cause of this privacy loss is not entirely malicious.  Companies have become fearful of information leaks over email, blogs, message boards, media sharing sites and mobile devices.  Over 44 percent of companies admitted to performing investigations into leaks this year.

Companies are responding by increasing employee monitoring.  Of the companies with over 20,000 employees, approximately 41 percent were found to monitor outbound email.  Of the large companies approximately 22 percent hired employees chiefly for the purpose of monitoring the other employees' email.

Aside from email leaks, 40 percent of companies reported investigating email violations of privacy or data protection regulations.  The results of these investigations -- 26 percent of all companies surveyed report terminating an employee within the last year for email policy violation.  Further, 23 percent of companies responded that their business had been impacted by the release of sensitive or embarrassing materials from within the company.  Of the largest companies, 34 percent report that their employee email was subpoenaed within the last year.

Companies aren’t just worrying about and watching employees' email communications, either.  Of all the companies surveyed, a surprising 27 percent reported that they lost confidential information through lost or stolen mobile devices within the last year.  In the past year 11 percent of companies reported disciplining employees for blogs or message boards.  In addition, 13 percent report punishing employees for inappropriate use of social networking sites and 14 percent report punishing employees for using media sharing sites.

Blogs are also under investigation these days.  Of the companies surveyed 14 percent of companies report investigating the release of material financial information (such as unannounced financial results) on blogs and message boards.

The unfortunate side effect of this trend is that it’s hard to tell companies are merely watching out for their own interests from companies who are looking to snoop inappropriately in employees personal lives.  The trend surely will leave many employees feeling a bit violated.

However, even those employees that are not subject to corporate monitoring may fall under the scope of increased government monitoring programs in the U.S. and abroad.  The UK government recently announced plans to try to collect its citizens' email, web, and phone history.  Web monitoring efforts here in the U.S. are also widely known.  People are having to face the somewhat unpleasant reality that their private lives online are becoming less and less private.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Violated?
By Kenenniah on 5/22/2008 1:56:28 PM , Rating: 5
quote:
The unfortunate side effect of this trend is that it’s hard to tell companies are merely watching out for their own interests from companies who are looking to snoop inappropriately in employees personal lives. The trend surely will leave many employees feeling a bit violated.


If people are sending personal email using company equipment on the company network and through company servers, how can they feel violated if the company reads those emails? First most business tell employees beforehand than any email at work is not private and may be monitored. Second common sense should tell you that when using their equipment they have every right to monitor what you use it for. If you want privacy on your emails (at least from your employer) do it on your own time with your own equipment.

I'm sorry but I get tired of people trying to make it sound bad when corporations monitor email at work or control internet access. People are getting paid to do a job, not waste time writing personal email anyway. A company has every right to protect and manage what goes on on its network.




RE: Violated?
By JasonMick (blog) on 5/22/2008 1:59:09 PM , Rating: 5
Common sense and people's expectations in life you'll often find are two disparate entities...


RE: Violated?
By Kenenniah on 5/22/2008 2:26:22 PM , Rating: 5
True enough.

It's like when I had to investigate a user for sexual harassment and found a ton of proof in his email history. When confronted with the evidence in the meeting where we fired him he couldn't believe we violated his privacy and looked through his work email.

Or another user that tried suing us after she was fired for averaging over 160 outbound personal emails a day. Figure that an average work day is roughly 8 hours, so 480 minutes. Then figure a very generous 1 minute per email and do the math. She had even been warned 3 times to cut back on personal email and do more work.

It's not like we actually read every email, but when we get a complaint, or see an abnormal sending pattern we take a look into it.

I could go on and on and it's sad really. I would love to just be able to trust employees and give them full access to things and not have to monitor anything. Unfortunately there are more than enough employees that ruin it for the rest of them.


RE: Violated?
By TomZ on 5/22/2008 2:33:07 PM , Rating: 4
I don't really see this as a tech problem. For example, would an employee have an expectation that a desk or locker might be searched by the employer? Probably so. So then why would people expect that something they do on company time using company computers and networks would ever be any different?

In my experience, I think most employees "get it," but there are still some slow learners out there.


RE: Violated?
By Adonlude on 5/22/2008 3:51:29 PM , Rating: 3
Sure I have that expectation but if my employer actually started searching my bags and locker I would be pissed. That would be an accusation or at minimum a sign that I am not trusted. That is not something a company should be subjecting their employees to if the company cares about having dedicated, loyal employees that are part of the "family".


RE: Violated?
By Mitch101 on 5/22/2008 4:45:52 PM , Rating: 2
If the company issued you those bags for business purposes then yes they could and its should not be seen by the employee issued those bags as a violation.

Company provides computers for work related reasons not so you can buy stuff on e-bay and get soccer schedules.


RE: Violated?
By Polynikes on 5/22/2008 6:02:07 PM , Rating: 4
I don't think they should search through that stuff unless they have reason to believe you've been doing something wrong. When they just do it randomly it's insulting.


RE: Violated?
By Mitch101 on 5/23/2008 12:35:41 AM , Rating: 2
I agree. Consider ourselves lucky a few places I am hearing have a ban on cell phones. Not just because of cameras but because of being able to listen in on meetings or other corporate conversations.


RE: Violated?
By kattanna on 5/22/2008 2:48:38 PM , Rating: 2
quote:
It's not like we actually read every email, but when we get a complaint, or see an abnormal sending pattern we take a look into it.


too true. I have some people here who ask me from time to time if i monitor them and i always tell them that i have more important things to do then watch what your doing.. but dont change that equation....


RE: Violated?
By Mitch101 on 5/22/2008 5:01:06 PM , Rating: 5
Same here we are under law/compliance to archive e-mail for a specific number of years. Many companies I have worked for must do this. (Financial and Pharma mainly)

To make this simple I see people resumes, pr0n, conversations, burnout videos, etc all the time. You can rename them unusual ways and even compress them with passwords but I still see them and can get to them. Yes even encrypted and even embedded in photos. I can even get them back if you hard delete them and even if they were in your PST files. The level of recovery is dependent upon how much money your willing to spend to get that data back. Most solutions today are actually archived before you ever receive the message in your Inbox or the moment you typed it on your PC. I have recovered messages in temp form before they ever hit send. We will even dig into your internet history and find what websites you get to e-mail that are not blocked.

Take it from a guy who has been involved in Billion dollar lawsuits. Dont ever put anything you dont want to be read by someone else in e-mail, instant message, any electronic form what so ever.

While were on the subject Intel having trouble locating e-mail is laughable. The fine for lost e-mail is most probably less than that of incriminating evidence which supports a conspiracy with names associated with it.


RE: Violated?
By bertomatic on 5/22/2008 2:12:52 PM , Rating: 2
Agreed. The owner of the equipment and data have every right to monitor and protect that data. As a sysadmin, I am supprised over and over at how "regular" employoees use company equipment for personal use. "keep it at home people".


RE: Violated?
By Kenenniah on 5/22/2008 2:32:59 PM , Rating: 2
Nothing more exciting than swapping digital cameras out for an employee only to find he left pretty pictures of his anotomy on the memory card of the old one.


RE: Violated?
By MrBlastman on 5/22/2008 3:05:13 PM , Rating: 3
Or how about being a sysadmin and finding out that one of the most important employees in the company is a chronic porn surfer?

Do you shake his hand ever again knowing what goes on at work? Does the CEO do anything about it?

It is a double edged sword - for some people, they are immune to it where others get busted.

If you don't think it should be at work, don't do it at work.


RE: Violated?
By Mitch101 on 5/22/2008 5:23:48 PM , Rating: 4
Managers are the best for pr0n and jokes. A good manager provides up to date new jokes worthy of reading.

Helpdesk is the worst for resumes and burnout videos and thinking they know ways around the system. LOL. A+ certified no more like D minus at most.

Accounting and HR for soccer mom schedules and extra curricular activities outside the office. Gossip too. The funny part here is Accounting and HR will open tickets for not receiving kids photos or soccer schedules or e-mail from their husbands.

Security funny enough they receive the most netflix e-mail. Should you be securing the place or watching movies?

Most of the time if you do get called to check on something its because someone forwarded the wrong joke or adult content to the wrong person or someone saw it over their shoulder.

My favorite ones to deal with are the people who receive a spoofed message from a yahoo/road runner account thinking they won a contest from the company you work for and you match the IP addresses to their local subnet.

A manager once moved his porn accidentally to a public folder.

Other things that come to mind.
Girls with ex boyfriends who start websites with their pictures on them. Ex wife/husband fights. Someone sending threats to people outside the company from someone else's computer left unlocked. VIRUSES from people who connect to external mail systems and open the attachments then try to deny and lie about it. Sadly the Viruses from external mail sources is someone from helpdesk 30% of the time. Again D Minus certified.

Every e-mail system should block AOL entirely because its just chain letters, jokes, virus warnings you heard 10 years ago that they just heard for the very first time. Budweiser frogs? Bill Gates sending you money if you forward this to 10 people?

In every company there is that one guy who must forward you ever piece of spam he ever receives in his inbox even though you tell him to just delete it and move on he never does this. At this point the e-mail team adds his name to spam just because.

A new thing I started seeing is spam with an IPV4 but last octet being IPV6. Example 192.168.2.354 I haven't tried this yet but its a pretty cool idea.


RE: Violated?
By phattyboombatty on 5/22/2008 3:55:01 PM , Rating: 2
quote:
The owner of the equipment and data have every right to monitor and protect that data.


Try using that same argument to secretly record phone calls. Even though your employee is using your phone, your phone server, and your phone lines, you're probably committing a federal and/or state crime by recording that call.


RE: Violated?
By Kenenniah on 5/22/2008 5:11:19 PM , Rating: 2
Tell that to evey customer service center. I'm guessing you've never hear the disclaimer telling you that this call may be monitored etc.? All you have to do is let people know their calls may be monitored and there is no legal issue. Just about every large company that I know of has policies that employees sign to work there. Phone calls are also different, since in order to record the call you are all recording what's being said on a different public or private network. To read an email, you don't have to touch on any other network. You are just reading text already stored on a hard drive in your server or your employee's computer.


RE: Violated?
By phattyboombatty on 5/22/2008 6:04:56 PM , Rating: 2
I hope you're not running a legal department anywhere. The customer service centers you mentioned get consent by informing the caller the call may be monitored. Thus, all parties to the call are aware of the recording and its ok. How does telling your employee that their call may be monitored inform the private party on the other end of the call that the call is being recorded?

Your example with email regarding public vs. private network only works for intra-office emails. Every outgoing and incoming email from outside your private network has to travel across public lines, and is analogous to the phone example. I'm not saying that recording emails is illegal. I'm just saying that the argument that "this is my property, I can do what I want with it" doesn't always fly.


RE: Violated?
By Kenenniah on 5/22/2008 8:54:14 PM , Rating: 3
Federal and most state laws (with the exception of 12 states) only require one party of a phone call to be aware of the recording. So it all depends on where the calls are taking place (and yes the strictest law stands). So for a call from Iowa to Kansas, only one party is required, but from Iowa to California all parties are required to be notified, so we are both correct depending.
http://www.rcfp.org/taping/

For the networks, there's a difference between passing through other networks, and actively recording information. With recording phone calls, you have to record both ends, so you are in effect streaming information from an outside network and recording it. With an email, the data has been completely sent to your equipment. It may have gone through other networks to get there, but you don't have to aceess or touch those networks to get the information, Every bit of it at the time you read it is located on your own private segment. I can disconnect my computer from the internet and still read an email. I can't disconnect from a phone line and still record a conversation. I'll grant you it's a very very subtle difference and I have no idea if it really matters or not :P

One way to look at it, is an email is more like the recording of the phone call. It's already been recorded, it was just sent to your servers. So to compare more directly, it would be like someone recorded their end of a phone conversation, and trasferred the wave file to your company's servers.


RE: Violated?
By phattyboombatty on 5/22/2008 3:32:40 PM , Rating: 2
quote:
If people are sending personal email using company equipment on the company network and through company servers, how can they feel violated if the company reads those emails?


You mean, if people are using the company's toilet in the company's restroom on the company's plumbing and sewer system, how can they feel violated if the company videotapes them doing it.


RE: Violated?
By Kenenniah on 5/22/2008 5:24:15 PM , Rating: 2
Are you actually comparing monitoring email to taping people using the restrooms? There's a huge difference between invading one's personal space (videotaping them undressed) and reading an email they chose to put on your server. There is a resonable expectation of privacy while using the bathroom, but bits of data they knowingly give to you?

No, monitoring email is more like videotapoing a naked employee because they were dumb enough to get undressed at a security entrance where they know a camera is recording.


RE: Violated?
By phattyboombatty on 5/22/2008 6:21:37 PM , Rating: 3
quote:
Are you actually comparing monitoring email to taping people using the restrooms?

I was countering your argument that an employee is entitled to no privacy if they are using company property.
quote:
There's a huge difference between invading one's personal space

Many people would consider their personal space to include their private email messages.
quote:
and reading an email they chose to put on your server.

Most people don't consider the act of sending an email to another person as "putting an email on your server." I could just as easily say "that employee chose to place their urine in the company's toilet and I was entitled to watch it as the company's representative."
quote:
There is a resonable expectation of privacy while using the bathroom

Bingo. Now you're actually getting to the real argument. It's not whether or not the property belongs to the company, it's whether a person has a reasonable expectation of privacy in their interactions with that property.
quote:
but bits of data they knowingly give to you?

Again, most people sending emails wouldn't characterize it as giving bits of data to the IT guy down the hall. They believe they are sending the message to the person in the "To:" field. Just because a company has the physical capability to view an email message, does not mean the email sender is giving that message to the company.

You touched on the key argument briefly, which is whether an employee has an expectation of privacy. The answer is probably no, if the company discloses to the employee at the beginning of their employment that the company monitors all emails.


RE: Violated?
By Nfarce on 5/22/2008 8:20:40 PM , Rating: 1
Comparing taking a dump on a company toilet to sending personal emails on a company PC are two entirely different things. One is a bodily function that MUST be done as a human being. The other is a non-WORK related activity. Anyone who would even think about comparing the two is an idiot. Do you think corporate dress codes are a violation of your privacy too?

That's about the attitude I expect of today's youth who feel they are entitled to everything, INCLUDING a job. (Newsflash: that job belongs to the company, not you, sport).


RE: Violated?
By mindless1 on 5/22/2008 9:05:07 PM , Rating: 2
News flash - that job doesn't "belong" to the company, a job is an agreement between TWO parties.

Yes, "today's youth" are entitled to everything including a job and what they can afford from their wages, they are free to do whatever they like (inside the law else suffer the consequences)and have equal power as their employer. A workplace is not a prison camp, if an employer wants to be overly controlling they will find they have to either pay the employee enough to accept that or the employee will choose to leave.

The flip side of your mistaken idea is that employers feel they are entitled to make policies not necessary for the operation of their business. Walking onto someone's property does not make you become their property, there is never control of another human being in a free society, only an agreement with terms that both parties have to adhere to.


RE: Violated?
By Kenenniah on 5/22/2008 9:18:30 PM , Rating: 2
In a way we are kind of arguing different points. To put it more simply, the way I look at it is this.
What it boils down to in my opinion, is whether an employee has a right to use company computers for personal reasons. Since the company is paying for the computers etc., and providing them to the employee with a specific purpose (doing work), I argue that they don't have an inherent right for personal use. If they don't have the right for personal use, then how can they have a right to personal privacy on those machines?

In the bathroom scenario, the restrooms are provided for very specific purposes, which inherently include privacy for bodily functions. After all, that is one of the primary reasons bathrooms are provided. Even then, if for example there was reason to believe drug deals were being conducted in the restrooms, the company would find some way to investigate. Not cameras over the toilets for obvious reasons, but they'd find some other method.

In a general sense, using company equipment for personal use is stealing. While we don't care if an employee prints off a recipe once in awhile for example, it's entirely another matter if they are constantly printing out 500 page books. In effect they are stealing paper, ink/toner, printer wear and maintanence costs, productivity, and time from the company.

Even the IRS makes a distinction between business and personal use of company assets. I have to pay income taxes based on how much I use my company car for personal driving. One could argue that personal use of computer computers etc. should fall into the same category.

One other aspect often not mentioned, is that when using a work email account, the company's name is on every outgoing email sent. When sending that email, the employee is acting as a representative of the company, and the company can be held liable under some circumstances for what that employee does with his email and internet access.

I do agree with your general sentiment however. I believe companies need to draw lines and be careful with their policies. On the one hand you want to protect your company interests, but you do have to take employee morale into account. You don't want them feeling oppressed and thinking the company is watching their every little move. It's all about finding a balance. After all, happy employees are good from a caring AND business standpoint.


RE: Violated?
By teckytech9 on 5/23/2008 1:31:31 AM , Rating: 2
quote:
It's all about finding a balance.

The balance can be argued to the ownership of all employee emails, and for all generated emails for any company in question. This can be a sensitive issue since authority of ownership often lies with the CEO, CIO, or other company executives.

Companies as individual entities tend to keep most of its matters such as company perks, bonuses and stock options private. What is interesting in the whole process is that emails taken as a record of communications, can be deleted "at will" as well as the personnel contracts of its employees. Most employees enjoy company perks, especially "milking the cow" while its still there.


RE: Violated?
By Shida on 5/25/2008 9:35:45 AM , Rating: 2
Very true. But just saying: what if they start going beyond monitoring through their company equipment and start, going oh I don't know, Orwellian?

It's 1984 man....and it's gonna be a looooong year...


RE: Violated?
By Shida on 5/25/2008 9:36:52 AM , Rating: 2
Very true. But just saying: what if they start going beyond monitoring through their company equipment and start going, oh I don't know, Orwellian?

It's 1984 man....and it's gonna be a looooong year...


E-mail monitoring not optional
By chromal on 5/22/2008 2:09:41 PM , Rating: 4
This shouldn't be surprising. And if anything, it should be reassuring. At least in some industries. I work for a securities broker-dealer and regulatory agencies who oversee and occasionally audit us require e-mail (and IM) retention for auditing purposes. I suppose the rationale is that as long as e-mail can be monitored, someone is less likely to violate regulations using it.

Folks, if you want privacy, use personal e-mail accounts for non-business communications.




RE: E-mail monitoring not optional
By afkrotch on 5/22/2008 3:15:47 PM , Rating: 2
Or be like us Sys Admins and not monitor ourselves or surf the web on the proxy server. w00t.


RE: E-mail monitoring not optional
By Zoomer on 5/22/2008 3:19:29 PM , Rating: 2
Do most companies use outbound smtp server monitoring, packet sniffing or screen snooping?


By FITCamaro on 5/22/2008 4:28:58 PM , Rating: 2
Every company I've worked for has had the first 2. The company I work for now has all three.


Part of me says big deal
By Cobra Commander on 5/22/2008 2:02:53 PM , Rating: 5
As an IT Manager of a small-to-medium sized business in Atlanta, GA we have never monitored a single email. People directly ask me "Do you monitor our email?" and I don't lie - I say, "No, but I could if we needed to." and if I like them enough I'll add "but we've never snooped so you don't have anything to worry about unless you create a problem."

However, sometimes it is very easy for people in the work force to conveniently forget they are at work to do a job, and that their personal lives do not belong at work. Therefore when you email your spouse a dirty email you are doing it on your employer's equipment and it is their right to know what's going on. It's about as ignorant as a 3 year old getting caught in the cookie jar - as an adult you can hear them making noise in the kitchen but the child just doesn't think it all the way through.

Yes, there is obviously a valid Big Brother argument to make here but there is an equally if not more valid 'pull your head out of you arse' argument to make as well. It most definitely goes both ways and I'm not sure at all, at least in my eyes, this blog is doing this but often such blogs don't properly paint the full picture.




RE: Part of me says big deal
By InsidiousAngel on 5/22/2008 2:14:15 PM , Rating: 2
I am in a similar situation as an IT Manager for a small-medium company in NC. I have verbatim told them exactly what you have; the only difference here is I have to control internet access, but not for Big Brother reasons, but more of a system managing the people vs. management managing the people. I won’t even get started on that subject. As long as the fear of the company having the ability to monitor is there, I haven’t had too many issues.


RE: Part of me says big deal
By kiloguy on 5/22/2008 2:54:20 PM , Rating: 2
Cobra: Good post. I agree with you 100% that the workplace use of resources cannot be regarded as one's own. I guess that many in this thread have a situation similar to mine, in which the Company has its own INTRA NET that is accessible from without for those needing access. That network topography should not be abused whether in the office or from remote. Monitoring by the company is not a breach of privacy; it is protecting the official use of assets.
ps. chromal: also a good post.
.


Wow
By Denigrate on 5/22/2008 2:30:18 PM , Rating: 2
In other news, the sky is blue and water is wet.




RE: Wow
By FITCamaro on 5/22/2008 3:03:02 PM , Rating: 2
Exactly. This is common corporate practice. How much did they spend to do this worthless survey?


RE: Wow
By Denigrate on 5/22/2008 6:11:27 PM , Rating: 2
Not sure, but I need to start coming up with obvious studies to pull some government grant $$$$'s. Nothing like seeing our tax $$$$'s at work.


hm
By LumbergTech on 5/22/2008 5:36:03 PM , Rating: 2
i sympathize with the common concerns of companies ..but on the other hand people are increasingly stuck at work for most of their lives, and i do think there should be some kind of line as to what is considered private..should the company be able to read any email that the person has in their email box just because they are using an email account on company property? or only those sent during or at work?




Phones Not Included.
By teckytech9 on 5/22/2008 7:58:53 PM , Rating: 2
This article reminds me of a scene from the "Matrix" when the Sentinels are looking for Neo and he hides, and dodges them by ducking down from cubicle to cubicle. Lets face it, big brother does not trust nobody and especially dislikes whistle blowers who report their wrongdoings. To counter the imbalance, it only seems appropriate to carry a personal cell phone/PDA to handle ALL private communications.

When layoffs are secretly organized, or the key cards don't work one morning, its always good to keep local media outlets and local newspapers informed of the details. There is no doubt that FUD is included in blogs, but once in a while an insider will "tell it like it is" which keeps things in the balance.




Not Surprised
By MKct on 5/23/2008 10:53:40 PM , Rating: 2
I work at a large, well known corporation in the IT support department and I am literally amazed at how many people use their "work" assets like their email accounts and PCs for personal use. Now, I am not part of the IT Security team, but I have to assume there is some type of monitoring going on, especially with email. Yet, as I am working on user's PCs, I notice all sorts of personal, non-work related activity in their email (not snooping on them, but hard to ignore when trying to fix issues with Outlook!). Even to the extent of a relatively high up manager having his Match.com emails sent to his work address! Whenever I am at work, whatever I may be surfing, I limit to tech sites or any other harmless surfing like sports scores, etc. I try to NEVER use my work email for personal communications. This tends to get difficult when the company has pretty much all webmail blocked on the proxy servers, but I am always assuming that any mail sent via the company email system is subject to monitoring. In fact, even if they did allow webmail access, im sure those packets would be sniffed as well. Most companies have some kind of disclaimer regarding what they may or may not be monitoring, and if an employee chooses to ignore that, then they may eventually have to suffer the consequences.

In a world where it is becoming increasingly difficult to "disconnect" from the office, people still need to use some better judgement in keeping their personal lives out of the office and its equipment. It'd be nice to not have users wanting you to back up their iTunes collections they have on their work PCs, or asking if a certain USB toy will function on their work PC so that their kids can play with it at home!!!




"If you look at the last five years, if you look at what major innovations have occurred in computing technology, every single one of them came from AMD. Not a single innovation came from Intel." -- AMD CEO Hector Ruiz in 2007














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki