IT Creep reading everyones email for his own pleasure 8

[McRocken]

My wife works for a University and her building has it's own server and IT people. The head guy goes around and drops little messages to people when he's talking to them about personal things he's read in their emails. He mainly does this with single young ladies that are newly hired but it's not confined to that. He seems to take a lot of pleasure in letting the workers know that he's Godlike and can do whatever he wants to. The upper people there, like the Dean of the School, don't know Jack about computers or anything related to IT. He comes up to you with a smirky smile and says something to you to let you know he read what you sent someone. Everybody knows that email at work is not personal, etc. But, this guy is a creep and uses it as a power thing. No one knows what to do or how to deal with him.

Here's the thing, people at this place are now getting the feeling that this guy has access to their yahoo, pop3 accounts, hotmail, or any personal accounts that they've check FROM work. He can get their passwords and such if they go through the buildings server and he obvoiusly has NO Ethics. It's like a peeping tom that's throwing it in your face and letting you know that you can't do anything about it.

What would YOU do? How would you catch this creep going into personal email accounts that are not connected with the University? What if he's going into accounts that he can get into because he's obtained passwords by snooping on the server?

Note: My wife works very closely with the Dean - The Dean has not asked this fellow to look at the workers emails, this is different, he's doing it on his own - because he can. It's been brought up to an assistant Dean who was appalled but said that there was probably nothing they could do - she did'n't know about the password thing though and that hasn't been proved to be a fact - yet. I'd love to "set a trap" and catch him doing it.

I just joined this group because I was searching IT ethics and found it. Thanks for any suggestions! Does this behavior ever become illegal? Or it is mainly an ethical issue?

 

[njwcad]

I guess that it depends where you live. Certainly within the UK this would fall within the data protection act providing his actions were not sanctioned by his employer.

I think the US has a more liberal approach to personnel data.

Pete

 

[LadySlinger]

It is certainly more liberal in the US, but for reasons of data protection (such as making sure that certain documentation doesn't get emailed out, etc) , rather than personal gain.

If this guy really is reading other people's email from the office for his own pleasure and turning around and telling people this, then that falls under the category of harassment. Making people think that he's GODLIKE because of his access is a harassing nature.

Also if he IS reading employee hotmail and yahoo accounts, then that's something that needs to be reported and investigated by the police. Reading this type of email is personal and has nothing to do with work (unless the police came to him and said "read these peoples emails" with a warrant, but from the sounds of your post, I highly doubt that).

I would definitely approach this with the Dean. Explain to him the ethics behind the matter and that some people feel threatened by this, even though its work related email. Then show him several emails that were sent to other people for personal reasons, then show this guys' emails that relate to the personal emails.
Also if there is solid proof of the hotmail/yahoo accounts, be sure to bring this to the Dean's attention too.
Then suggest that some of his access be restricted for 6 months. Otherwise if he gets talked to, and no restricted access is done, he could just change his patterns and verbalize everything.

Good Luck!

 

[BJCooperIT]

How about this? First, make sure the assistant dean is aware of the trap you are about to set. Send an email to your wife's personal account. In the email, outline your "planned" vacation at a nudist colony. Using only activities you both do not do in real life, discuss your agenda of events such as horseback riding, horseshoes, hangliding, limbo contests, skiing, volleyball, etc. Be specific with names and dates. If this person mentions even one of these imaginary things you have him cornered!

[sup]Beware of false knowledge; it is more dangerous than ignorance.[/sup][sup] ~George Bernard Shaw[/sup]
Consultant Developer/Analyst Oracle, Forms, Reports & PL/SQL (Windows)
My website: Emu Products Plus

 

[pmonett]

I would simply start sending mail to the FBI stating that I am being harassed by someone in my workplace and asking what I can do about it.

If other workers are feeling threatened about it, they can send in their own eye-witness accounts.

My guess is that either the FBI shows up and demonstrates publicly just how un-Godlike he is, or he'll come around in a hurry and try to calm things down on his own.

Pascal.

 

[McRocken]

Thanks for the discussion on this!

I am thinking about setting up a juicy header on an email and sending this message to my wife's account. In the message I could put a link to a webpage that I created just for this purpose and maybe catch his IP address there (would be great if he checked it from his home computer) Maybe send my wife the password to this page and tell her that it's extremely important that she keeps it secret, etc, make it so he can't stand NOT knowing what it is, etc. I could also give her my password to my (newly created for this purpose) yahoo account, and in that account set the trap with the link to the webpage as well. I design websites for a living. I'm not an expert in the IT area so y'all could tell me if having his IP address would do any good - especially if he's checking it from his computer at work - could he say someone else used it or something? I really want a case against him that STICKS. He's pissed off several people by doing this and made everyone feel violated and so freaked out that they might not even be able to trust ANY email they send - even from their home account that's unrelated to the University. For instance, I set up a family group page for my wife's family and sent the link and password to my wife at work, we figure that he's probably been there and seen what we thought were private family things. My wife has checked my email for me (from work) I asked her to do this a few times and now the creep has possible access to my account - if he picked up the password from the server - where does it end? I should have known better but you do tend to trust IT people. It's just this one bad apple causing trouble for everyone.

 

[ecobb]

Personally, I like a combination of both BJCooperIT's and pmonett's ideas. You want to set a trap? Try this. Send your wife an email about going to a nudist colony, or anything else that has a strong sexual underdone to it. If this creep says something to her about it (and you know he probably will), she will have grounds for a sexual harrassment charge, and concrete proof that he's been reading her emails. I would imagine that at a University, just the thought of a sexual harrassment case against them would be enough for them to take care of this guy. Not to mention the fact that now your wife also has proof and can get the authorities involved on possible other charges. The University will take care of this situation for you.

Just a devious little idea...but I think this guy deserves it.


Hope This Helps!

ECAR
ECAR Technologies

http://www.ecartech.com

"My work is a game, a very serious game." - M.C. Escher

 

[tazuk]

If you can get confirmation of this guy's behaviour it might be best to use this to encourage the dean / assistant dean to carefully and discretely investigate further before hauling the creep over the coals.

Someone with this low level of ethics may well choose to sabotage systems / withhold passwords / other nefarious behaviour rather than go quietly. Steps will need to be taken to prevent this and gather further proof to protect the institution from legal action.

This type of person gives all IT people a bad name - someone with the skills to gain this level of access who can't determine when it is ethical and appropriate to do so doesn't belong in the industry.

Hope you nail him.

TazUk

Blue-screening PCs since 1998

 

[LadySlinger]

Hmm...you could take the nudist colony thing one step further and email your wife about threesome trip with this guy. Include in there how much you think he's "hot". If he's just reading the ladies emails, then it might just creep him out that another guy is checking him out.

 

[Stella740pl]

McRocken,

Before setting up a trap for the guy, make sure you are not setting one for your wife. I know that Universities are usually very liberal, especially when it comes to accessing Internet, your private e-mail, etc. - my husband has worked for a few and still teaches from time to time. But when you have a case against the guy and he feels the danger, he may be able to create one against your wife.

Check very carefully all Internet and e-mail-related policies that may actually exist, even though not enforced. You may find that, say, accessing your private e-mail, like Yahoo or whatever else is not allowed; or sending e-mail of personal, let alone sexual (as was suggested above) contents from the University equipment is prohibited, or something alike.

You may also want to check what the creep's job description say. You may find that 'watching out' the employees' Internet use is part of his duty (even though he is clearly too eager and not ethical about doing it), buried somewhere deep in the wording.

Whatever you do, first make sure that you don't set up a trap for your wife at the same time. And if you decide, after all, to set something against him, be also careful about making up "juicy details" - they will most likely become widely known, and your wild imagination may bring you some embarrassment.

Good luck.

 

[SantaMufasa]

McRocken, First, and foremost, it sounds to me like the University (surprisingly) lacks a "Univeristy Personal and Data Privacy Policy". Someone should point out to the appropriate Powers that Be that lacking such a policy, the University is exposing itself to potential legal liabilities and entanglements.

The University does not need to rely upon State or Federal privacy laws...they can, of their own accord, implement a privacy-protection policy under their University Ethics and Honor Code charter.

By pushing this aspect, you probably kill multiple birds and one Slime Ball with one stone.

Mufasa
(aka Dave of Sandy, Utah, USA)
[I can provide you with low-cost, remote Database Administration services: see our website and contact me via www.dasages.com]

 

[ecobb]

Stella740pl, while sending these types of emails may be prohibited, they can't stop what you receive or everyone would get fired for getting Spam. No one suggested she send anything out, just that her husband send something to her personal account. Even with that, she doesn't have to check it at work, but if the IT creep mentions anything about it, he's been in her private email, possibly from a university computer.

SantaMufasa, I'm sure they have a "Univeristy Personal and Data Privacy Policy", it's just this guy doesn't abide by it. I agree with you that it needs to be enforced, but most people (including administration) just flat out don't care until there's a potential lawsuite because of it. Then it gets their attention.


Hope This Helps!

ECAR
ECAR Technologies

http://www.ecartech.com

"My work is a game, a very serious game." - M.C. Escher

 

[Stella740pl]

while sending these types of emails may be prohibited, they can't stop what you receive or everyone would get fired for getting Spam.

That's true. But I don't get spam to my work account - probably they have some filter in here, plus, I believe, some e-mail can be quarantined and, yes, reviewed by someone in charge, with rights to do so.

If, however, these messages are sent to a totally private account, not accessed from work, and he still knows about them - that's a totally different story. But, on the other hand, if the creep can hack password and access that private account, it means that at one time or another she did access it from work - and she better check if she was allowed to do so, before setting the trap.

 

[McRocken]

Some great tips here - I agree with being careful, I wouldn't use a sexual message like some have suggested. Something else or just enough of an idea to bait him would be enough. I'm trying to check into the University policy, etc. I'm not going to go off and do something crazy, I'll take my time and see if there are other ways to deal with this. This fellow has mentioned to 3 people, that I know of, about some item that he could only have known through reading their emails and made it clear to them that he's read them.

My wife had to deal with a lot of work related items over the weekend and on Monday, he comes up and with a little grin, says, "I see you were busy emailing this weekend." It's just a little creepy when the guy is always reminding you that he's watching you. This guy is a real gossip monger as well and SOMEHOW always knows whats going on in everyone's life - I wonder how.

 

[McRocken]

Again, here's what I'm proposing. I set up a yahoo account to be used only for this purpose. I send a couple of messages to it so it looks used, and in there I put one message with a subject line something like "personal-stay out!" (I'm not sure about the subject line yet) In this message I'll have a link that goes to a webpage that I create just for this purpose and tell no one about. I'll monitor the hits to this webpage and will be able to capture the IP address of anyone who goes to it. Then I will send, to my wife's work email account, a message saying that I've got a new email address at XXXXX.yahoo.com and that it's only for "talking about our little personal problem" and tell her to be careful not to let anyone have this password to the account or it could be embarrasing to us- and give her the password to the yahoo account. Now, IF he reads her mail he'll have that password, and IF he goes to that personal Yahoo account outside of the University and clicks on that URL, and I can prove it - I think I might have him - a lot of IFs but possible. You IT experts will have to tell me how to connect him with the IP address, I'm not sure how all that works.

What do you think?

 

[Stella740pl]

Well, don't want to spoil it for you, but I, personally, wouldn't want my husband to send messages to my work account at all, and with any personal information in particular, especially with an e-mail address and password, be it real or fictional. Whatever he can send me to a private account, better yet - tell me on the phone (preferably my cell), or, the best way, wait a few hours and tell at home, he wouldn't send me to work.

It even looks unnatural - you know that you shouldn't expect privacy in your work e-mail, and that it could be retrieved years later and treated as a business-related document, and you send a message about sharing your "little personal problem" in a personal secret account - and you include the full detail of that said account in it. If she is not supposed to access that new personal account at work, anyway, what the rush to send it to work and not show it to her at home? Doesn’t look good.

Even if you get him this way, I wouldn't want to be the person who gets this e-mail at work.

Even if he talks about it, it would be a proof for you only. He may as well deny later that he said anything at all. If, however, you can catch him going into that webpage (and he might copy the URL, not click on it), that, I would guess, is not proof enough that he read your e-mail account - he might have been able to find that page by other means. In any case, if you got some proof, one way or another, how would you proceed? Did you think about that yet?

 

[LadySlinger]

"I see you were busy emailing this weekend."

While this might be creepy to some people, maybe its just me, but I would reach across, pat him on his head and tell him "Congratulations, you know how to check my email account. Now why don't you go find something useful to do before I find something for you."
If he's trying to use psychology over certain people in the office, that he's like you said "Godlike" then people just need to learn that they should act like they don't care. It'll bruise his ego a bit.

However, if he came up and said "So how was the movie you saw Saturday night?" Then I would note the time, date what he said to me and write it all down on a log and hand that over to the Dean.

 

[McRocken]

Yeah, the "see you were busy emailing" comment is not a big problem as he's in charge of the system - but I only told you that to show you how he flaunts it to the people there. I don't need proof myself because my wife and a couple of her co-workers have had him mention SPECIFIC emails that he read of theirs to their face. There's no question that he's doing it, that's proof enough for me. And, again, nobody expects privacy in their mail at work and that's not the question - the real question is: Can't you expect privacy in your OTHER home accounts? Those that he might have gained access to by getting your password because maybe you checked your PERSONAL home account from work and then, afterwards, he goes after the passwords by looking for them on the school server? This is not really an email issue but one of a person using an online website for banking or checking another personal account from work and he sees the password you used and can then go back later himself - if he so chooses to. Nobody knows if he's gone that far - I'd like to know by giving him the chance.

Of course I know that any real personal stuff should not be sent to my wife at work - I'm just SAYING that it's personal to get his attention in this case. If he goes off of the school server, to an outside Yahoo account that I created to prove that he's doing this, and then he goes into it WITHOUT permission and only has access to it because he read about it and gotten the password to it from an email to my wife - wouldn't you think that's a problem?

Think about this - my wife told me that she once (during lunch on her own time) paid a bill online at her bank. This means that the guy could go into our banking account if he got that password. You know how it is... the average person is not savvy to how this stuff works and never imagines that these things can be such problems. If this isn't about ethics, I don't know what is. As an IT person you have access to information - how you use it really shows the TYPE of person you are. Here we obviously have a power crazed peeping tom type guy with no ethics and not afraid to let you know it - he's thumbing his nose at you saying "what are YOU going to do about it?"

If I could prove it, I have connections at the University and will use them to expose this fellow. I know the Dean too but I would never bring it up without proof.

 

[SantaMufasa]

I'm sure they have a "Univeristy Personal and Data Privacy Policy", it's just this guy doesn't abide by it.

At the universities around here, any faculty or staff caught breaking the Honor Code or any university-generated ethics policies is dismissed.


If McRocken's institution has a policy that they are not enforcing, McRocken (or spouse) should be able to go to the university's legal counsel and say,

"There is a university employee that is an ethics abuser. He is creating and fostering a threatening work environment that is causing emotions that range from uncomfortable to enraged amongst colleagues. I'm certain that this is not the type of atmosphere and environment that the university wants to tolerate.

"We want to see this behaviour stop and are willing to take action. As university counsel, what do you advise us to do next to prevent this perpetrator for continued misbehaviour?"

The counsel cannot help but feel some level of concern if s/he sees any sort of exposure to liability on the part of the university.

This all hinges upon just how far you and your colleagues are willing to go to make this slime ball stop.

Mufasa
(aka Dave of Sandy, Utah, USA)
[I can provide you with low-cost, remote Database Administration services: see our website and contact me via www.dasages.com]

 

[Spirit]

Wow, never seen so many posts in one day! A nerve has been struck! I hate this guy sooooooooooooooooooooo much already. He's an absolute

The whole set a trap blah blah blah DO NOT DO IT. It just tarnishes your reputation. And its easy to say "oh I overheard that being discussed by some students".

What you need is evidence not circumstancial evidence.

Only the powers that be can deal with this.

If this guy is the only and most senior IT guy you have to get an external party to come in and start monitoring logs. Thats what happens when you read other peoples email - you need permission (thats in computer terms, eg username and password) to read another users email and that is logged. If not you need to turn that auditing back on.

Also he might just be remote desktopping onto the PC and watching what is on your screen and reading mail then, although onpening it with an admin account seems more likely.

In terms of capturing hotmail passwords as an admin thats so easy it should be illegal... oops it is! I can easily pop a key logger on your PC. I can just stick a packet sniffer on the gateway. I can stand over your shoulder and watch your fingers! If you click that little box "Remember My Password" then more fool you. Because when you go home I log on to your PC as you and theres all your saved passwords available for my use.

You also need the external people to check for hidden surprises, document the network incase he gets nasty.

If he worked for me I'd capture the logs make sure I head the evidence then escort him off site permanently.

I think I speak for - almost - all of tek tips in saying GGGGGGGGGGGGRRRRRRRRRRRRRR