Monitoring of email/internet use is it ethical and is it legal? 1

[229257]

We have recently installed a couple of products that monitor email and internet use on the network, i have heard some comments that this may not be legal or ethical.

I have tried to research this topic without a clear statement of what is legal and what is not legal, does any one have a clear answer? or refrence to some sound articles/guidelines that will make this matter clearer.

I am recieving flack by some users saying this is not legal but I dont have a clear repsonse.

Is it the fact that this is new to the users and they are scared of being caught?

 

[svanels]

If it is legal I do not know, (the question of snooping other peoples mail). Ethical it is not. If the postman is opening your letters to look what is in it, they put him in jail. If I had a boss snooping into my mail I would use the account to atract spam, so he would have a lot to read. Steven van Els
SAvanEls@cq-link.sr

 

[Zarcom]

If the users are on company equipment there is nothing illegal about it.

I am not sure that it is entirely unethical either. You are expected to use your work email for just that, work. It is not a personal account, the account belongs to the company that you work for. You are merely recieving email in trust for the company. In this way there is nothing wrong with looking at emails as they pass through the system.

Another viewpoint depends on what the email nanny does. Is there a person looking through each and every email or is the entire process automated or is it a mix of the two.
As it was pointed out in another thread a lot of finer point ethics become a rather gray area.

I can also see the point of the users. They don't wan't to feel that they are being watched. People need to feel some independence, if they are too restrained they begin to feel that their right to freedom is being infringed upon.

Personally, I feel it comes down to this. Is there a dire need for monitoring. Are employees wasting massive amounts of company time doing things they shouldn't. If they are there may be a need for monitoring software. However, if I may use an analogy: The monitoring software is merely a bandaid. If you get cut you put a bandaid on, but that doesn't stop you from getting cut, it doesn't solve the problem. You need to keep from getting cut in the first place.
My point is that if your employees are spending excessive time wasting company work hours, you have a bigger problem then time wasteage. You need to motivate employees to work when they are at work. Or you need to replace lazy ignorant people with better ones.

My take on it anyway. That'l do donkey, that'l do
Mark
If you are unsure of forum etiquette check here faq796-2540

 

[sleipnir214]

I suspect that your users are just going to have to get used to it.

As the law and legan precedent stands in the US right now, It's legal. The company owns the server and has the right to say what is done with it. Also, the company is responsible for the consequences of the activities of its employees. As such, the company has the right to monitor what people are doing with the server, and that includes monitoring email.

The ethicality of the monitoring is a different matter. But so long as the monitoring is announced, and so long as that monitoring's impact on personnel policies are made clear, and so long as there is a well-defined acceptible use policy, I don't see an ethical issue, either. ______________________________________________________________________
TANSTAAFL!

 

[Kjonnnn]

This article discusses the legal aspects surrounding email monitoring and advises companies how to monitor employees' emails without violating privacy rights.

According to a survey by Quicktake, 42% of employers monitor their employees' emails. However, Michael Overly (author of E-policy1) found that only 60% of the employers who monitor emails actually have an adequate written policy in place. By monitoring emails without warning, employers are arguably infringing on an individual’s privacy and therefore susceptible to workplace privacy lawsuits. With a 3000% increase in privacy lawsuits filed over the paste decade2, it is a very real possibility that a disgruntled employee might try to seek compensation from your company in this way. However, as can be concluded from the court cases discussed below, employers can successfully protect themselves from these claims by implementing a sound email policy and taking uniform measures.

It is important to make two distinctions concerning the legality of email monitoring:

Federal and state law
The first distinction is one between federal law, which tends to be more biased towards the employer, and state law, which is usually the opposite. Under federal law the Electronic Communications Privacy Act (ECPA) allows companies to monitor employees' emails when one of three provisions are met: one of the parties has given consent, there is a legitimate business reason or the company needs to protect itself. Even though the ECPA requires a provision to be met, under federal law companies are generally allowed to monitor employees' email. However, companies need to be aware that this act might be subject to change. In July 2000 legislators proposed the Notice of Electronic Monitoring Act in which employers would be required to notify new employees of any electronic monitoring and provide annual notice to all employees. Employers that fail to inform employees of email monitoring could face civil suit damages of up to $20,0003. However, since September 2000 there has been no further mention of this act. Even without the introduction of this new bill, employees can seek compensation through state law, where the legality of electronic monitoring is not so clear cut as it is under federal law. If your company has no email policy in place, an employee could argue that he or she had a reasonable expectation of privacy. However, if the company has implemented a written email policy where employees are informed about the possibility of email monitoring and warned that they should have no expectation of privacy, the company is protected from this type of privacy claim.

Email auditing and email interception
A second distinction to make is the difference between email auditing (sometimes called email monitoring), where email is checked after the actual transmission, and email interception (sometimes called email filtering), where email is intercepted and checked during transmission.


Several court cases have upheld that checking email after transmission is legal (i.e. email auditing), since it is viewed as no different than searching through a file in an employee’s drawer. For instance in a criminal case against a CIA employee charged with receiving inappropriate emails (United States v. Mark L. Simmons), the court ruled that the viewing of personal email did not violate federal wiretapping laws, since the email was not viewed while it was being transferred but was obtained from storage.


Email interception is not as clear cut as email auditing. However, cases in the United States have proven that most forms of email interception are permitted if this is done in a reasonable manner and is backed up by an email policy, as proven by the Nissan and Pillsbury case: In 1991, Nissan Motor Corporation fired two employees after they had been caught sending sexually explicit emails. The employees took Nissan to court (Bourke v. Nissan) claiming unfair dismissal and violation of privacy. However, since the company had an email policy in place and had explicitly stated that employees’ emails would be monitored, the court ruled in favor of Nissan. In another case (Smyth v. Pillsbury Company) an employee was fired for communicating unprofessional comments over the company's email system. The email allegedly contained threats to "kill the backstabbing bastards" in sales management, and referred to the upcoming holiday party as a "Jim Jones Koolaid affair". When the employee claimed that the company had violated privacy laws, the court concluded that no reasonable person would consider the interception to be a highly offensive invasion of privacy, and that the company's interest in preventing inappropriate or unprofessional comments or illegal activity outweighed any privacy interest.

Email policy
So, does this mean that email monitoring is legal? Basically the answer is yes, IF your company has implemented a written email policy in which employees are warned that their emails can be monitored and that they should have no expectation of privacy. Not only will the existence of an email policy help you in a court of law, it will also educate your employees in the usage of email and may prevent many of the issues you were trying to stop by monitoring email. Make sure that the email policy is properly communicated to all staff and that any updates are circulated amongst all employees. It is preferable to have employees sign the email policy, including any additions to it, to prove that the employee has agreed to abide by the rules. Furthermore, email monitoring must be applied as uniformly as possible, since singling out an individual without a clear reason to do so could subject the company to discrimination claims.

Not obliged to monitor
In your email policy, it is important to note that although the company might perform monitoring, it is not obliged to monitor emails. Failure to include this clause could be interpreted as a commitment from your company to protect your employees from all harmful and inappropriate emails. Were an inappropriate email to slip through, an employee could technically sue your company for failure to protect him or her from offensive communications.

Take reasonable action
Remember though that even if email monitoring is allowed, employers must still take care when taking action based on email monitoring results. The City of Scottsdale faced paying out damages of $300,000 after it dismissed an officer for sending out a sexually offensive email to a colleague. The officer had just received a promotion and had sent an email to a female coworker asking if she would sleep with him now that he was promoted. Even though the recipient was a close friend of the officer and found the message amusing instead of offensive, the police department removed the officer from the promotions list and after several disputes ended up firing him. The officer sued the police department and was awarded $300,000 in damages.

Bottom line
If you perform email monitoring and do not yet have en email policy in place, it is strongly advisable to implement a policy without delay. Not only will this protect you from privacy claims, it makes good sense to document your company rules and communicate these to your employees. After all, how can you expect employees to know how to behave if you don't tell them what you deem to be appropriate usage of your system? If your company does not monitor email, nor have an email policy in place, it is time to seriously consider using these measures. Without them, any company that provides their employees with email access faces serious legal and business threats.

 

[KingofSketch]

As a systems administrator it is a necessity to monitor people's emails, we have users sending 40 - 50mb emails internally (and trying to send them externally) alot of the times it junk and chain mails, if we didn't have the ability to check suspected mailboxes, the system would grind to a halt!!!

To make sure that any of the administrators don't abuse their access in the case of emails, all investigations have to be signed off by the IT Director, thus giving the users more peace of mind

I agree there is an ethical question about looking in someones private inbox, but then again it is a company system and if its private/personal send it to there own email account not works (we don't restrict access to internet email)


Sketch

"Eagles may soar, but weasels don't get sucked into jet engines"

 

[svanels]

As a systems administrator it is a necessity to monitor people's emails, we have users sending 40 - 50mb emails internally (and trying to send them externally) alot of the times it junk and chain mails, if we didn't have the ability to check suspected mailboxes, the system would grind to a halt!!!

It is time to educate your users in the proper use of company equipment. You have a network and they are sending 50mb externally? Ever heard of zip drives, shared drives, exchange servers? There is a scala of options available to deal with this situations. Chain letters? I do not get them anymore, some remarks about the boss his time, fairy tales etc. scared them off. Steven van Els
SAvanEls@cq-link.sr

 

[krale]

I'm a user of a university and a lab tech there under the System Administrator. I see two concurrent problems with monitoring traffic in general.

In pro of monitoring, It does take liability if all users sign or acknologe some sort of "You agree that we have the ability and are allowed to watch transmissions to and from your computer. Email, HTML, and many chat services are clearly viewable by the System administrator." warning. It may not be preventing being sued, but at least the users cannot say that they were un-alerted.

In against of monitoring, it puts a deep distrust in your users. You may be paying them, but that knowledge that you don't trust them does greatly lower loyalty. Also, in case of not doing is is peeing off technicial oriented users. If I was the subject of that monitoring (like my school), I'd set up a proxy on my home computer through :80 https, ssh-ftp, ssh, PGP'ed email, and ad absurdum. I could easily fit all those tools on 1 floppy (windows and linux). And technically oriented mad users can shake other users into a riot of what they're preventing 'us' to do.

 

[jvdboom]

I know that it's easy for them to get the screen of any PC with the program winvnc (like my school) they have a proxy so I can't use mine either. Well i'm against too .Even though I might be a future system administrator.I know information is power and so on. It is all designed to collect personal data and store them in profiles in huge database-files.If I see that one saved his/her password for hotmail on a PC in my school,I wipe it.
Employees will dare less. Wich might be a bad thing to happen (like not visiting this forum anymore)