IT Creep reading everyones email for his own pleasure 8

[McRocken]

My wife works for a University and her building has it's own server and IT people. The head guy goes around and drops little messages to people when he's talking to them about personal things he's read in their emails. He mainly does this with single young ladies that are newly hired but it's not confined to that. He seems to take a lot of pleasure in letting the workers know that he's Godlike and can do whatever he wants to. The upper people there, like the Dean of the School, don't know Jack about computers or anything related to IT. He comes up to you with a smirky smile and says something to you to let you know he read what you sent someone. Everybody knows that email at work is not personal, etc. But, this guy is a creep and uses it as a power thing. No one knows what to do or how to deal with him.

Here's the thing, people at this place are now getting the feeling that this guy has access to their yahoo, pop3 accounts, hotmail, or any personal accounts that they've check FROM work. He can get their passwords and such if they go through the buildings server and he obvoiusly has NO Ethics. It's like a peeping tom that's throwing it in your face and letting you know that you can't do anything about it.

What would YOU do? How would you catch this creep going into personal email accounts that are not connected with the University? What if he's going into accounts that he can get into because he's obtained passwords by snooping on the server?

Note: My wife works very closely with the Dean - The Dean has not asked this fellow to look at the workers emails, this is different, he's doing it on his own - because he can. It's been brought up to an assistant Dean who was appalled but said that there was probably nothing they could do - she did'n't know about the password thing though and that hasn't been proved to be a fact - yet. I'd love to "set a trap" and catch him doing it.

I just joined this group because I was searching IT ethics and found it. Thanks for any suggestions! Does this behavior ever become illegal? Or it is mainly an ethical issue?

 

[Stella740pl]

Of course I know that any real personal stuff should not be sent to my wife at work - I'm just SAYING that it's personal to get his attention in this case.

The way I understand it, if it is not work-related, or, at least, of some general interest, it IS personal. Even if you are just SAYING (yes, I understood you correctly the first time) it is personal, and it is not real, it is still personal. Anyway, no one, without hiring an investigator, can truly distinguish whether it is real or imaginary, but just looking at the contents would say that it is personal.

I am not sure that setting up all this trap would be a sufficient proof to the dean, unless he is a technical person. Also, even if it is, he might not want to use it because of the questionable nature of the proof. He wouldn't want problems.

I would favor some combination approach.

First, try to find the policy, if one exists, regarding e-mail and Internet use on the University equipment. Read carefully, to check whether your wife doesn't break it (by opening private accounts, paying bills, etc.) before proceeding. Read what it says about expectation of privacy.

Then, note something to the guy as LadySlinger suggested. If he makes notes about information found in the private e-mail accounts, you can say something like "I see you are watching me. Do you have a warrant to do so?" or something else, to hint that you MIGHT actually do something about it.

At the same time, have your wife (and possibly, some other coworkers would agree to do so) log, as LadySlinger told you, all occurrences of his remarks, with time and date, and other details. When you have more than a few, complain to the dean in writing, preferably with coworkers, too, on unethical behavior and harassment committed by this guy. It might be a proof enough.

At the same time, it might be a ground to push for some Personal and Data Privacy Policy, as SantaMufasa suggested - or to show that the guy doesn't abide by it, and even uses the information that he gets as part of his work duties for his own purposes. You might really get him.

 

[Stella740pl]

Is it just me, or the threads that became too wide to fit the screen because of all the ...GGGRRR... and ...AAAHHH... used to have a horizontal scroll bar? Now it just shows what fits in the window and cuts off the rest. Inconvenient.

(Hello, Spirit ;-), I would guess I speak for the rest of Tek-Tips: just GGGGGGGGGGGGRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR would have been enough.)

 

[SantaMufasa]

Whoever the Administrator is for this forum can edit Spirit's post to reduce the "teeth gritting" down to a "narrower" level.

Mufasa
(aka Dave of Sandy, Utah, USA)
[I can provide you with low-cost, remote Database Administration services: see our website and contact me via www.dasages.com]

 

[ecobb]

Works fine in FireFox.

Hope This Helps!

ECAR
ECAR Technologies

http://www.ecartech.com

"My work is a game, a very serious game." - M.C. Escher

 

[McRocken]

I found this in the Network and Computing Support area online at the University. Don't know if it helps or not....

Policies

Terms of Use for Computer Accounts

The University of XXXXXXXXX ("University") computer network, equipment, and resources are owned by the University and are provided primarily to support the academic and administrative functions of the University. The use of these computer resources is governed by federal and state law and University policies.

The use of computer accounts is subject to the following terms and conditions:

Each account is for the exclusive use of the individual or organization to whom it was assigned and users may not allow or facilitate access, including by a proxy or anonymous remailer, to University computer accounts, equipment, or restricted files or systems by others. Authorized users are University faculty or staff, currently enrolled students, and retirees, unless their access privileges have been revoked by the University. Divisions and departments may also authorize temporary accounts for use by non-University personnel strictly for the purpose of conducting University business.

The use of the account may not violate any policy of the University.

The use must not overload the University's computing equipment or systems, or otherwise negatively impact the system's performance.

The use must not result in commercial gain or benefit to the users and cannot constitute consulting for a business or running a business. The page or site may not promote commercial activities or display paid advertising.

The use may not violate laws or University policies against discrimination or harassment due to race, sex, religion, disability, age, or other protected status.

The use may not violate state laws or University policies on the use of University equipment, resources, or time for political activities.

The use must not involve sending of soliciting chain letters, nor may it involve sending unsolicited bulk mail messages (e.g., "junk mail," or "spam").

The use may not imply or state University sponsorship or endorsement, nor use University trademarks without permission of the University's Licensing Program.

The use may not involve unauthorized passwords or identifying data that attempts to circumvent system security or in any way attempts to gain unauthorized access.

A Web site or page or personal collection of electronic material that is accessible to others must include and display the following disclaimer: "The views, opinions, and conclusions expressed in this page are those of the author or organization and are not necessarily those of The University of XXXXXXXX or its officers or trustees. The content of this page has not been reviewed or approved by The University of XXXXXXX, and the author or organiztion is solely responsible for its content."

Organization accounts are subject to deactivation after notice to the last known sponsor unless the sponsor annually renews the account by submitting to the University an account renewal form (faculty/staff organizations) or by renewing the organization's registration with the Office of the Dean of Students (student organizations) by September 15 of each year.

The University may examine electronic information stored on or passing over University equipment or networks, for the following purposes: (1) to ensure security and operating performance of its computer systems and networks; (2) to enforce University policies or compliance with state or federal law where (a) examination is approved in advance by a dean, vice president, or the president, and either (b) there is reasonable suspicion that a law or University policy has been violated and examination is appropriate to investigate the apparent violation, or (c) examination is necessary to comply with state or federal law. Computer users should have no expectation of privacy in material sent, received, or stored by them on or over University computing systems or networks when conditions of subparagraph (1), or both (2a) and (2b), or both (2a) and (2c) above have been satisfied.

Use that violates the terms of the account agreement, state or federal law, or any University policy may result in referral for action under the appropriate disciplinary procedure and the imposition of sanctions which may include suspension or revocation of access privileges in addition to other sanctions.

 

[jrbarnett]

Well, as Spirit says, don't set a trap. You're only opening yourselves to possible recriminations at a later date should the policy be enforced.

The lines:

"The use may not violate laws or University policies against discrimination or harassment due to race, sex, religion, disability, age, or other protected status."

and

"The use may not violate state laws or University policies on the use of University equipment, resources, or time for political activities."

both apply in this case. If you wanted to do something without arousing too much suspicion, get the Dean to bring in an external IT security company in to perform a whole range of security testing (so it won't look like you're just looking at this guy's stuff), under the clauses in the AUP.
Make an announcement to all IT staff saying something like
"Due to the sensitive data we hold on our servers relating to research and teaching activities that The University carries out, The Dean and other members of the Senior management team have authorised XYZ IT Security to perform a full range of IT audits to determine if there are holes in any of our systems. No areas are beyond their remit. All IT personnel are hereby authorised to cooperate fully with them in their investigations and respond appropriately to any queries raised."

You then make sure that this building is one of the areas that the company look at. They may be able to find files of usernames/passwords, data from confidential files from people's network homespace in his, packet sniffers in key places on the network etc that this guy set up.
While he could claim that they were for use in ensuring network security, this reasoning should be checked out by an independent network security expert for validity.

Additionally, there's likely to be some sort of clause in his employment contract regarding bringing the University into disrepute, which could possibly happen should this knowledge become public. This is a problem should any of the "set a trap" techniques get used.

Even if it turns out he is just misusing administrative level priveliges and scaring people, then this itself is a contravention of the policy and he should be dealt with under the same AUP.

John

 

[SantaMufasa]

I am not an attorney (although I play one on TV), but it seems to me that with the above policy, you can scare the bejeezus out of Slime Ball, even without the co-operation or concurrence of the Dean.

Clearly, Slime Ball is breaking University Policy (as it reads, above). For him to be reading surreptitiously other people's e-mails, either he or the University must prove that his snooping is either:

1) ensuring security and operating performance of its computer systems and networks; or
2) enforcing University policies or compliance with state or federal law...

So, Per Item 1: The burden of proof would be on his shoulders to prove that his reading of others' e-mail is ensuring security and operating performance (notice that he must prove that somehow his snooping ensures both security and performace to justify his behaviour under item 1 (which I would absolutely doubt he can).

Per Item 2: To snoop under the auspices of Item 2, Slime Ball must prove:

a) He had advanced approval of a dean, vice president, or the president, and one of the following:
b) There is reasonable suspicion that one of the victims was perpetrating a violation of policy or law and Slime Ball's snooping was appropriate to investigate the suspicion (which I highly doubt he could prove), or
c) Slime Ball's snooping was in compliance with State or Federal law (which I highly doubt he could prove).

Now here is the clincher:

Computer users should have no expectation of privacy...when conditions...above have been satisfied.

This implies that if Slime Ball cannot prove that he is snooping under protection of the above conditions that you CAN have an expectation of privacy!!!!


Next, you, or one of the other victims (or all of the victims) each pay $17 for one month's membership in some pre-paid legal service in your area. (I can give you the link to a service that has, since 2000, represented me on over a dozen matters, with 100% positive results in my favour, with no cost to me besides the $17/month membership.)

Such as service will, as just one of the aspects of their benefits, write (on Law Firm letterhead) a "Cease-and-Desist" letter to Slime Ball (with carbon copies to the Dean, the President of the University, and the University's Legal Department), demanding that Slime Ball stop his behaviour.

The letter can be along these lines:

Mr. Slime Ball,

We represent multiple employees of the University of XXXXX. They have requested our firm to represent them in a demand that you show just cause for your repeated accessing of electronic mail from accounts of University of XXXXXXX employees.

Under the policies of the University of XXXXXXX and under statute of the State of XXXXXXX, employees can expect that such electronic files are private (i.e., not for your or University inspection unless) you and the University can prove that:

1) Inspecting (incoming or outgoing) employee e-mail ensures security and operating performance of University computers systems and networks, or

2) That each occurrence of your inspections of employee e-mails occurred:
a) with advanced approval of a dean, vice president, or the president, plus one of the following conditions:
b) you can prove reasonable suspicion (prior to your inspections) that each of the employees whose e-mail you inspected, is or was perpetrating a violation of University policy or State or Federal law and that your inspections were appropriate to investigate those pre-existing suspicions, or
c) Your inspections were in compliance with State or Federal law.

Please forward your responses to this inquiry to our office by <Some date>. Until such time, or absent an acceptable response, we demand that you Cease and Desist such future inspections of e-mails or electronic files of employees and staff of the University of XXXXXXX.

Sincerely,

Jane Q. Lawyer,
Attorney-at-Law

Since you are not bringing any legal action, per se, you needn't disclose either your names or even any proof (at this time) of his misbehaviour. Your legal counsel is simply demanding that Slime Ball not perpetrate any future unauthorised inspections of employee e-mails. It's that simple.

The University need not even know who, specifically, is making this request.

I imagine that once the higher echelons at the University sense the legal risks to which he (individually) is exposing the University (collectively), he will probably either be reassigned, fired, or have his wings otherwise clipped.

Let us know if you decide to pursue such a track, and if so, the outcome.


Mufasa
(aka Dave of Sandy, Utah, USA)
[I can provide you with low-cost, remote Database Administration services: see our website and contact me via www.dasages.com]

 

[Spirit]

oops Sorry!

Kind of got my back up and got carried away with the "R"'s

iain

 

[Stella740pl]

SantaMufasa,

I am not an attorney
Doesn't feel like it.

(although I play one on TV)
Hm. Are you serious?

Anyway, looks like you did a great job parsing and analyzing that policy, then drafting the legal document.

Have a star from me.

 

[SantaMufasa]

Thanks, Stella, for the Star.

As to my comment, "I am not an attorney (although I play one on TV)...", because you don't waste your intellect by watching a lot of television, you probably don't recognise my take-off on a televsion add from a few years ago where a TV ad featured a highly recognisable soap-opera actor who was hawking some sort of over-the-counter pain medication. He began the ad by saying, "I'm not a doctor, although I play on on TV...".

So, in reality, I don't even play an attorney, but I am always interested in ways to apply the law to turn Slime Balls out into the street, especially when they arrogantly mock and deride their victims as tastelessly as McRocken's "piece of work" seems to be doing.

Mufasa
(aka Dave of Sandy, Utah, USA)
[I can provide you with low-cost, remote Database Administration services: see our website and contact me via www.dasages.com]

 

[attrofy]

The only question I have with Mufasa's excellent suggestion, is what happens when Mr. Slime turns the table and sheepishly wonders aloud to the Dean why he is being harassed by his co-workers - as he would clearly, never ever in a million years read anyone’s email - never! It must clearly be a plot by all his jealous co-workers to harass him with such unfounded and slanderous attacks.

I do believe that Spirit and jrbarnet are on the right track and I think combining with Mufasa's idea, there could be a real end put to this issue - but some of the higher ups would have to be involved, and it would basically become a full blown "official" investigation. Keystroke logging would be the most effective method - unless as McRocken speculates he is doing most of the nefarious work from home - or some remote public outside location (library, internet cafe, wireless terminal, etc) and using a remote entry to log on as the user, etc. My bet is if he is willing to express his GODLIKE abilities openly to the people he is GODDING over, then I am also guessing he is covering his tracks pretty tightly. As jrbarnett indicated, many of the methods he employees could be blown off as network security, and if he is hiding behind a cloak of "legitimacy" due to the nature and power of his position, he has a built in excuse as to why those devices are in place. Anything that comes in the nature of an "outside" attack (legal, circumstantial, whatever) will clearly fall into the "accusational" my-word-against-his catergory, and could end up backfiring. Proving misuse of University given power is a whole different subject then proving his ability to misuse the power. Definitely illicit the help of the Dean, assistant Dean, or some other University sanctioned investigator. This is clearly a case of harassment, and should be dealt with in the same manner as a sexual, religious or racial harassment. With enough cooperative co-workers, this case could be clearly "proven" to any investigating team - just as any of the above mentioned harassment cases would be.

 

[BJ9]

It could be considered creating a hostile work environment. I think it most states that is grounds for legal action.

BJ

 

[LadySlinger]

BJ is right, especially if the slimeball is keylogging everything you do on the web

If it is illegal in your state, then definitely get the authorities involved (if SantaMufasa's suggestion doesn't hinder the guy). If you do your site and catch the guy in the act, most likely if legal action is taken, this evidence will be thrown out because of lack of warrants, or not being done by proper authorities.
As much fun as your idea may be, it would only go so far as your knowledge rather than anything else unfortunately.

Good Luck!

 

[gbaughma]

SantaMufasa is spot-on with his analysis.

After reading the policy myself, Slimeball is *way* in over his head.

However, I would start with a letter to the Dean, stating examples of information that would ONLY be known if Slimy was reading e-mails, quoting the policy back, and asking that it be addressed.

Remember, that if you *ask* the dean to address it, as opposed to demanding it, you will get farther. When you demand help, you're "playing a trump card".

Entrapment of Slimy is never a good idea. Besides, the Dean *may* already be aware of it, and is just collecting enough evidence to get rid of the bozo, which you would only be hindering. Bring it to the Dean's attention, but continue to give Slimeball enough rope to hang himself with.

(It makes me feel guilty about the joking bumper sticker I have on my jeep that read "I read your e-mail".... lol)



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg

http://parallel.tzo.com

 

[SantaMufasa]

I must say, I totally agree with Greg: By going (in a highly professional manner) to the Dean, you still retain the option to follow-up later with an (independent) legal process (which can be a "big hammer" if the Dean fails to act).

Well done, Greg. (Hava Star.)

Mufasa
(aka Dave of Sandy, Utah, USA)
[I can provide you with low-cost, remote Database Administration services: see our website and contact me via www.dasages.com]

 

[gbaughma]

A

http://www...

shucks.

You're a good guy, Dave... no matter what the rest of these guys say about you.



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg

http://parallel.tzo.com

 

[lespaul]

Greg!!! You weren't suppose to tell him we were talking about him!!!



les

 

[McRocken]

Thanks everyone for your comments. The guy is being watched by several concerned employees and documenting any time he does it again. We want to make sure that the info he mentions could ONLY be known through reading the mail before bringing in the big guns. I'm sure he'll hang himself soon enough.

McRocken

 

[SantaMufasa]

If nothing else, McRocken, the amount of time that Slime Ball spends reading other people's e-mails, then "creeping" around to show off his creepiness represents a clear Dereliction of Duty -- He cannot be doing his "real work" while he's being creepy/slimey.

That, in and of itself, should be enough for his superiors to be disappointed enough to take action. How would the superiors feel if everyone emulated Slime Ball's work "ethic"?...The University would never accomplish anything of worth. (Bring that point up to the Dean when you all finally "lower the boom" on Slime Ball.)

...And, keep us posted on your progress.

Mufasa
(aka Dave of Sandy, Utah, USA)
[I can provide you with low-cost, remote Database Administration services: see our website and contact me via www.dasages.com]

 

[mikeydidit]

The documentation part of this is a very good point. Even if it is just little shorts like

“Sept 12th. Slime ball said he read this." “Sept 13th Slime ball asked if my sick mother was better.” Everything.

That is legal documentation and carries a lot of weight believe it or not. Have all that are concerned do it on every event. Give this to the dean. This should make him take some sort of action. If not the legal services will.


"Wise men speak because they have something to say; Fools because they have to say something."
(Plato)