conca@handel.cs.colostate.edu (michael vincen conca) (05/23/91)
I am the system administrator for a group of research scientists in the psychology department here. Today I was presented with a rather touchy situation: Aproximately 1 month ago, a certain employee was advised that he/she was was acting in an inappropriate manner and that they needed to make certain adjustments in their attitude. A meeting was held between the head manager and this employee in which the above issue was discussed. All of this was summarized in a memo which was E-mailed to the employee. Yesterday, this employee was terminated. He/she was allowed to gather their things and purge all of their personal files from the system. Today, my boss asked if it would be possible to retrieve this employee's E-mail off of backup, find the memo, and print it out in case it was needed as evidence in a possible court case. Now for the tough questions. Is this legal? Is this ethical? If this person still worked here, I would immediately refuse. But since they don't, do they still have any rights to their E-mail? Right now, I am leaning towards refusing because I think a person's E-mail is theirs, regardless of their status with the organization. Anyone have any other opinions on this? -Mike -=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=--=*=- Mike Conca, Computer Science Dept. * conca@handel.cs.colostate.edu Colorado State University * conca@129.82.102.32 "Everyday, as the network becomes larger, the world becomes smaller."
burley@albert.gnu.ai.mit.edu (Craig Burley) (05/23/91)
In article <15110@ccncsu.ColoState.EDU> conca@handel.cs.colostate.edu (michael vincen conca) writes:
Aproximately 1 month ago, a certain employee was advised that he/she was
was acting in an inappropriate manner and that they needed to make
certain adjustments in their attitude. A meeting was held between the head
manager and this employee in which the above issue was discussed. All of
this was summarized in a memo which was E-mailed to the employee.
Yesterday, this employee was terminated. He/she was allowed to gather
their things and purge all of their personal files from the system. Today,
my boss asked if it would be possible to retrieve this employee's E-mail
off of backup, find the memo, and print it out in case it was needed as
evidence in a possible court case.
Now for the tough questions.
Is this legal? Is this ethical? If this person still worked
here, I would immediately refuse. But since they don't, do they still
have any rights to their E-mail? Right now, I am leaning towards refusing
because I think a person's E-mail is theirs, regardless of their status
with the organization. Anyone have any other opinions on this?
If the manager cc'ed himself or even kept a copy of the email he sent the
employee, he could certainly keep that copy for a possible court case. Of
course, the cc'ed version would be "better", but since any and all of this
could be easily forged in a text editor, I don't think it matters much.
I question the wisdom of using email for this kind of task anyway. Anyone
using email should assume:
- It is not secure
- Anything sent from one individual to another, no matter how private,
can be read and even rewritten, prior to delivery, by a cracker
- Anything a cracker can read, a cracker can email to someone else or
post in a newsgroup
Once when doing some maintenance on the email system at Prime, I came across
a fairly sensitive personal email (regarding employee performance) from a
director or VP in engineering, so I had a talk with him about email security
and as I recall he sent a memo out saying what I am about to say:
- Unless you're willing to risk the message not getting through, being
willfully changed by another person, and/or being publicized,
PRINT A MEMO ON PAPER, VERIFY IT YOURSELF (VISUALLY) (or your
trusted secretary can do this, of course), AND DELIVER THAT PIECE
OF PAPER, NOT AN ELECTRONIC VERSION!
- Once you've printed such a memo via a computer, immediately delete the
online version. Something that sensitive shouldn't be online unless
you've got a super-secure system, and even then, why take the risk when
retyping it, even if necessary, is so trivially easy?
IF this matter had been handled via memo, especially on letterhead, instead of
via email, it would be a lot more difficult for an employee to successfully
argue in court that he or she never received it.
And, to look at things from another point of view, you don't want to find out
that an employee you just fired for not following through on your email'ed
command indeed did NOT receive the email because the mailer was in a bad mood
that day!
In summary, to take an extreme but fairly wise viewpoint:
YOUR COMPUTER SYSTEM IS LIKE A FANCY BULLETIN BOARD. ELECTRONIC MAIL
IS LIKE POSTINGS ON THE BOARD WITH THE RECIPIENT'S NAME ON AN OTHERWISE
BLANK SHEET ON TOP. IF YOU WOULDN'T COMMUNICATE WITH SOMEONE ON A TOPIC
VIA SUCH A TECHNIQUE, then DON'T RELY ON A COMPUTER.
(I.e. the recipient might never see it; someone else, even everyone else,
might read it; someone might change it before the recipient sees it; the
recipient might read it and pretend to never have seen it; etc.)
This extreme viewpoint is probably best for those in management who are
unacquainted with computers and unlikely to even notice if their accounts,
email boxes, etc have been tampered with. (Basically, anyone who might
respond to an email message purporting to be from "Your System Administrator"
saying "For security reasons, please change your password to XYZZY" by
doing it!)
--
James Craig Burley, Software Craftsperson burley@gnu.ai.mit.edutjc@ecs.soton.ac.uk (Tim Chown) (05/23/91)
In <15110@ccncsu.ColoState.EDU> conca@handel.cs.colostate.edu (michael vincen conca) writes: >Yesterday, this employee was terminated. He/she was allowed to gather >their things and purge all of their personal files from the system. Today, >my boss asked if it would be possible to retrieve this employee's E-mail >off of backup, find the memo, and print it out in case it was needed as >evidence in a possible court case. >Now for the tough questions. > Is this legal? Is this ethical? If this person still worked >here, I would immediately refuse. But since they don't, do they still >have any rights to their E-mail? Right now, I am leaning towards refusing >because I think a person's E-mail is theirs, regardless of their status >with the organization. Anyone have any other opinions on this? I believe (in the UK at least) that an e-mail message has the same legal status as a phone call, ie. none. But I might be wrong. It certainly isn't ethical and would be most miffed if I knew people were doing this to me! Tim --
jeffl@NCoast.ORG (Jeff Leyser) (05/23/91)
In post <15110@ccncsu.ColoState.EDU>, conca@handel.cs.colostate.edu (michael vincen conca) says: !!I am the system administrator for a group of research scientists in the !!psychology department here. Today I was presented with a rather touchy !!situation: !! [...Deleted...] !!Today, !!my boss asked if it would be possible to retrieve this employee's E-mail !!off of backup, find the memo, and print it out in case it was needed as !!evidence in a possible court case. !! [...Deleted...] !! Is this legal? Is this ethical? If this person still worked !!here, I would immediately refuse. But since they don't, do they still !!have any rights to their E-mail? Right now, I am leaning towards refusing !!because I think a person's E-mail is theirs, regardless of their status !!with the organization. Anyone have any other opinions on this? I see two possible answers here, depending in large part on your school's past attitudes: A) All data on the system belongs to the school, regardless. Under this assumption, retrieving the memo would be in line with previous school policy. If I were asked to restore something of this nature, I would do so, but only after recieving a WRITTEN request from MY BOSS. After all, the system belongs to the school, not to me. B) Data is considered private. In this case, I would not retrieve the memo unless ordered to do so by someone VERY high up, as this would mark a significant change in school policy. Again, I would demand such a request in writing. The system still belongs to the school, but the school has previously stated (or heavily implied) that the data belongs to individuals. Maybe as a "way out" -- is there a draft copy on any backup? A draft would belong to the writer (in this case, the manager), so I see no problem in restoring that. And as a final step, TEACH YOUR USERS THAT EMAIL IS *NOT* THE PLACE FOR IMPORTANT DOCUMENTS OF THIS TYPE. AND TEACH THEM TO CC: THEMSELVES ON **ALL** EMAIL! Had a secretary typed up such a memo, you can be *DAMN* sure s/he would have kept a file copy. -- Jeff Leyser jeffl@ncoast.org Opinions? I thought this was typing practice! leyser@tsa.attmail.com
jb3o+@andrew.cmu.edu (Jon Allen Boone) (05/23/91)
conca@handel.cs.colostate.edu (michael vincen conca) writes: > this was summarized in a memo which was E-mailed to the employee. This should have been cc:'ed or bcc:'ed to the appropriate people. Mistake #1! > Yesterday, this employee was terminated. He/she was allowed to gather > their things and purge all of their personal files from the system. Today, > my boss asked if it would be possible to retrieve this employee's E-mail > off of backup, find the memo, and print it out in case it was needed as > evidence in a possible court case. I didn't think that email was allowed as evidence in a court case, due to the fairly simple method by which one could fake it! > Now for the tough questions. > Is this legal? Is this ethical? If this person still worked > here, I would immediately refuse. But since they don't, do they still > have any rights to their E-mail? Right now, I am leaning towards refusing > because I think a person's E-mail is theirs, regardless of their status > with the organization. Anyone have any other opinions on this? I'd say tell 'em you can't do it. First, I'm under the impression it would do them NO GOOD legally. Secondly, there ought to be some written policy which states: GROUP FOOS OPINION ABOUT OLD BACKUPED FILES. Certainly, if I had personal mail, whether from them or not, I wouldn't want them to read it after I had left. It seems intuitively wrong. After all, do you think that there is any inherrent difference between private mail of someone who works there and private mail of someone who doesn't? You already said that you would have said "No" if they still worked there. How has the situation changed in an important ETHICAL sense? I don't think it has. Ultimately, the machines belong to someone and that someone or their proxy will have to decide what the right thing to do is. Until then, stone-wall'em - JUST SAY NO! ----------------------------------|++++++++++++++++++++++++++++++++++++++++ | "He divines remedies against injuries; | "Words are drugs." | | he knows how to turn serious accidents | -Antero Alli | | to his own advantage; whatever does not | | | kill him makes him stronger." | "Culture is for bacteria." | | - Friedrich Nietzsche | - Christopher Hyatt | -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
kadie@m.cs.uiuc.edu (Carl M. Kadie) (05/23/91)
Here are some legal considerations (disclaimer: I'm not a lawyer): At least for conventional letters, the sender owns the copyright, but the recipient owns the letter. If e-mail is to be given the same status as conventional mail, the note (and its backups) belong to the person who was fired. The Electronic Communications Privacy Act of 1976 protects e-mail. According to some experts (see the current IEEE Software), e-mail privacy can be legally violated if notice is given (whether such a violation is ethical is a different question.) In your case, no notice was given, so you might be in violation of the ECPA. Also, a person who works for a public university has a constitutional right to privacy even with respect to school property. [From the ACLU handbook on the Rights of Teachers:] "An anonymous cartoon had appeared in a local newspaper ridiculing the financial and personnel policies of the Fair Lawn, New Jersey, Board of Education by depicting the board members a poker players, apparently gambling away employees' salaries and jobs. Suspecting the guidance counselor as the offending cartoonist, a board member entered the guidance counselor's school at night, found a janitor with a pass key, directed him to unlock the door to the guidance counselor's suite, and observing a slightly opened drawer in the guidance counselor's disk, pulled it completely open, revealing copies of the cartoon. The court ruled that this action violated the guidance counselor's Fourth Amendment rights." The worst thing that could happen is that the e-mail is retrieved and then a new policy is set up to retro-justify the retrieval (i.e. "The boss can look at anyone's email for any reason at any time.") - Carl references: Excerpts from the ECPA of 1986 are available via anonymous ftp from eff.org as file academic/ecpa.1986 (also see file academic/README). -- Carl Kadie -- kadie@cs.uiuc.edu -- University of Illinois at Urbana-Champaign
mjr@hussar.dco.dec.com (Marcus J. Ranum) (05/24/91)
kadie@m.cs.uiuc.edu (Carl M. Kadie) writes: >The Electronic Communications Privacy Act of 1976 protects e-mail. Not to my knowledge. It "protects" cellular phones (if something can be said to be "protected" by deterrence) because they are a service provided by a common carrier - I don't believe it says anything about e-mail at all. All the time, USENET seems to entertain itself by hypothesizing about The Law, and what it SHOULD or should not do, but the sad fact of the matter is that the legal system is designed so that the only way to make a really meaningful statement of fact about a situation is to feed a lawyer and get a decision. In other words, your e-mail is not protected, unless you're willing to hire a lawyer bigger and meaner than the other guy's - maybe then you have a chance. mjr.
kadie@m.cs.uiuc.edu (Carl M. Kadie) (05/24/91)
>kadie@m.cs.uiuc.edu (Carl M. Kadie) writes: >>The Electronic Communications Privacy Act of 1976 protects e-mail. ^^^ typo, that should be "1986" mjr@hussar.dco.dec.com (Marcus J. Ranum) writes: > Not to my knowledge. It "protects" cellular phones (if something >can be said to be "protected" by deterrence) because they are a service >provided by a common carrier - I don't believe it says anything about >e-mail at all. The ECPA of 1986 explicitly protects e-mail privacy. (It also, of course, tries to protect cellular telephone privacy.) Excerpts of the e-mail-related sections are available via anonymous ftp from eff.org in file academic/ecpa.1986. - Carl -- Carl Kadie -- kadie@cs.uiuc.edu -- University of Illinois at Urbana-Champaign
landers@zeus.mgmt.purdue.edu (Christopher Landers) (05/24/91)
In article <15110@ccncsu.ColoState.EDU> conca@handel.cs.colostate.edu (michael vincen conca) writes: >Today,my boss asked if it would be possible to retrieve this employee's E-mail >off of backup, find the memo, and print it out in case it was needed as >evidence in a possible court case. > IMHO, if the sender failed to keep a copy, he's SOL! Why do you feel that a person's civil/privacy rights depend upon whether he's still employed. Are terminated employees lesser beings? -- <================================><===============================> || Christopher Landers || PURDUE UNIVERSITY - KRAN 708 || || Krannert Computing Center || West Lafayette, IN 47907 || <=================== landers@zeus.mgmt.purdue.edu ================>
choda@milton.u.washington.edu (Bob Marley) (05/24/91)
burley@albert.gnu.ai.mit.edu (Craig Burley) writes:
- Unless you're willing to risk the message not getting through, being
willfully changed by another person, and/or being publicized,
PRINT A MEMO ON PAPER, VERIFY IT YOURSELF (VISUALLY) (or your
trusted secretary can do this, of course), AND DELIVER THAT PIECE
OF PAPER, NOT AN ELECTRONIC VERSION!
- Once you've printed such a memo via a computer, immediately delete the
online version. Something that sensitive shouldn't be online unless
you've got a super-secure system, and even then, why take the risk when
retyping it, even if necessary, is so trivially easy?
This is not entirely true.... mail encryption IS available and is available
for EASY use also. Encryption cuts down on chances that a "cracker" who has
access to your account, can read your mail. Unless he/she has the key....
But that does not stop them from deleting the mail. Of course any good
"cracker" wouldn't tamper with mail, as to not leave any footprints....
But there ARE people out there to destruct, sooooo....
True the paper version is probably safer, but since you have
purchased that multimillion dollar machine, and you also have concern
for the environment, why not do it on the ole 'puter? You would have to shred
any paper memo that was to "personal' also.... Its all a hassle to be private.riddle@hoss.unl.edu (Michael H. Riddle) (05/24/91)
The following is the relevant sections (I think) from the ECPA of 1986, as
codifed in Title 18, United States Code. Note particularly section
2702(b)(2), which allows access upon permission by the originator as well
as the recipient.
HOWEVER: the sysadmin who asked the question works for a university,
which is sure to have staff counsel. USE THEM. Get a REAL opinion from
the lawyer already being paid for legal advice!
I can't empahsize that enough. We can all easily find the federal law,
but several states have their own laws that need to be considered and the
institution may actually have thought about this and have policies (yes, I
know I'm probably dreaming.)
////excerpt begins/////
CHAPTER 121. STORED WIRE AND ELECTRONIC COMMUNICATIONS AND
TRANSACTIONAL RECORDS ACCESS
s 2701. Unlawful access to stored communications
(a) Offense. Except as provided in subsection (c) of this section
whoever
(1) intentionally accesses without authorization a
facility through which an electronic communication service is
provided; or
(2) intentionally exceeds an authorization to access that
facility; and thereby obtains, alters, or prevents authorized
access to a wire or electronic communication while it is in
electronic storage in such system shall be punished
as provided in subsection (b) of this section.
(b) Punishment. The punishment for an offense under subsection (a)
of this section is-
(1) if the offense is committed for purposes of commercial
advantage, malicious destruction or damage, or private commercial
gain
(A) a fine of not more than $ 250,000 or imprisonment for
not more than one year, or both, in the case of a first offense
under this subparagraph; and
(B) a fine under this title or
imprisonment for not more than two years, or both, for any
subsequent offense under this subparagraph; and
(2) a fine of not more than $ 5,000 or imprisonment for not
more than six months, or both, in any other case.
(c) Exceptions. Subsection (a) of this section does not apply with
respect to conduct authorized-
(1) by the person or entity providing a wire or electronic
communications service;
(2) by a user of that service with respect to a communication
of or intended for that user; or
(3) in section 2703, 2704 or 2518 of this title.
CHAPTER 121. STORED WIRE AND ELECTRONIC COMMUNICATIONS AND
TRANSACTIONAL RECORDS ACCESS
s 2702. Disclosure of contents
(a) Prohibitions. Except as provided in subsection (b)-
(1) a person or entity providing an electronic communication
service to the public shall not knowingly divulge to any person or
entity the contents of a communication while in electronic storage
by that service; and
(2) a person or entity providing remote computing service to
the public shall not knowingly divulge to any person or entity the
contents of any communication which is carried or maintained on
that service-
(A) on behalf of, and received by means of electronic
transmission from (or created by means of computer processing of
communications received by means of electronic transmission from),
a subscriber or customer of such service; and
(B) solely for the purpose of providing storage or computer
processing services to such subscriber or customer, if the provider
is not authorized to access the contents of any such communications
for purposes of providing any services other than storage or
computer processing.
(b) Exceptions. A person or entity may divulge the contents of a
communication-
(1) to an addressee or intended recipient of such
communication or an agent of such addressee or intended recipient;
(2) as otherwise authorized in section 2517, 2511(2)(a), or
2703 of this title;
(3) with the lawful consent of the originator or an addressee
or intended recipient of such communication, or the subscriber in
the case of remote computing service;
(4) to a person employed or authorized or whose facilities are
used to forward such communication to its destination;
(5) as may be necessarily incident to the rendition of the
service or to the protection of the rights or property of the
provider of that service; or
(6) to a law enforcement agency,
if such contents-
(A) were inadvertently obtained by the service provider; and
(B) appear to pertain to the commission of a crime.
--
<<<< insert standard disclaimer here >>>>
riddle@hoss.unl.edu | Nebraska Inns of Court
ivgate!inns!postmaster@uunet.uu.net | +1 402 593 1192
Sysop of 1:285/27@Fidonet | 3/12/24/9600/8N1/V.32/V.42biss884760@minyos.xx.rmit.oz.au (Shane Marquis [Nanook]) (05/24/91)
kadie@m.cs.uiuc.edu (Carl M. Kadie) writes: >The ECPA of 1986 explicitly protects e-mail privacy. (It also, of >course, tries to protect cellular telephone privacy.) Excerpts of the >e-mail-related sections are available via anonymous ftp from eff.org >in file academic/ecpa.1986. >Carl Kadie -- kadie@cs.uiuc.edu -- University of Illinois at Urbana-Champaign Could somone who has access to these file please send me a copy as i cant get that far accross the net. thanks in addvance. Shane.
imp@solbourne.com (Warner Losh) (05/24/91)
In article <15110@ccncsu.ColoState.EDU> conca@handel.cs.colostate.edu (michael vincen conca) writes: > Yesterday, this employee was terminated. He/she was allowed to gather > their things and purge all of their personal files from the system. Today, > my boss asked if it would be possible to retrieve this employee's E-mail > off of backup, find the memo, and print it out in case it was needed as > evidence in a possible court case. I won't cover the legal aspects, since I'm not a lawyer. Things I do know (all of this is SMTP mail): 1) It is possible to forge E-Mail with VERY LITTLE effort. I have done it in the past and it is UNTRACEABLE. 2) I don't think that it is admisable evidence in a court of law since it can be tampered with in a number of ways. First, I can edit the mbox file (or whatever) once I get the mail. Second, Just because a mail message has user foo as the sender doesn't mean that user foo sent the mail message (see #1). Basically, you can't prove that a given piece of e-mail was actually sent by the person who claims it was sent by, unless someone saw them send the mail message. It is not possible, in general, to even prove that someone got a copy and read the mail. The accused could very easily deny ever getting the mail message. Unless you saw the person read the mail, you can't prove that he did, even if you can show the mail in his in box and then later in his out box. User interfaces can do some odd things to mail. Also, the accused could argue that you tampered with the evidence (you do have the capability to do that (even if you wouldn't) since you are root). Unless you gave this person a paper copy of the Memo on some official looking letterhead, then I'd say that you wouldn't have very strong evidence to be used in a court of law. It would boil down to your word against his (which is what it was before). VMS's mail system has similar holes, btw. Warner P.S. Privacy enhanced mail doesn't solve most of these issues, although it makes it harder to forge mail (but not completely impossible). -- Warner Losh imp@Solbourne.COM The question to everyone's answer is usually asked from within
geertr@dbf.kun.nl (Geert Rolf) (05/24/91)
At a company (or a school/university etc) you use the computer to do your work. The results of the work belong to the employer (or the school etc) depending on your contract or the law. Sending E-mail can be private, unless the employer forbids you to use E-mail for anything else than "work". (Which should be stated in advance, as others said already) In case 'private' e-mail is permitted, the files should have the same protection as the companies phone-system: no-one is allowed to tap the public-phone (except with permission of some Court?), no employer is allowed to tap the companies phone system. When someone leaves a company, s/he should remove her/his personal files and leave her/his work. As a system-administrator you have to have some rules: only the owner or the author of a file can ask you to retrieve it from the backuptapes. (In this case: the memo came from the boss) In case the boss asks you to retrieve a file from someone still working there, i should send the boss to the person that owned or authored the file. (As the person has left the company and should have removed the personal files, it should not be a problem now. Although I do feel that the Integrity of the System Manager is questioned here) In day to day life, the system manager is asked to open files that belong to someone who got ill and the rest of the project is willing to proceed. It should not be hard to decide that the files contain "work" in that case. Anyway: most computers contain -among others- 'personal' files, and the Integrity of the System Manager should not violate <<privacy>>. (As should the Boss!!) /* Here in Holland law on Privacy is rather new, how about the U.S?? */ BTW: 'rumors' usually travel through companies by E-mail Geert Rolf, University of Nijmegen geertr@sci.kun.nl
sean@ms.uky.edu (Sean Casey) (05/24/91)
Something just doesn't smell right when an employer posts a notice saying that all email may be read by the administration. It seems a cheap way to avoid lawsuits, rather than a more difficult--but better for the employees--policy that email is private. I won't work for a company that doesn't value their employees enough to let their email stay private. Perhaps privacy enhanced mail will make a big difference. Unfortunately, although people want to distribute free PEM, some companies have tied it up with patent infringement threats. Oh, well... Sean -- ** Sean Casey <sean@s.ms.uky.edu>
vince@bcsaic.UUCP (Vince Skahan) (05/24/91)
[...let me preface by saying the following are my personal
opinions only and have no connection to Boeing...
I also don't want to fan any flames, so please take a
Valium or something before you melt the keys down with
an indignant response to anything below...it just an
opinion, guys...]
It's so fun to hear the wanna-be lawyers spouting their
opinions (oh, why not...I wanna-be too :-) )
Whether the company, school, etc. has grounds to fire or
not gets determined in court maybe based on the available
evidence and should be a separate question.
It seems that the forgery-possibility issue is the big one
related to the possible court appearance in the feature.
All a lawyer has to do is say "hey...my guy never got it
so he never knew...you have a copy he signed to prove that
the contents were gone over with him?" and the co. has a
problem related to the integrity of the e-mail message.
(speaking from company folklore and not as an employee or
representative of my employer, I hear my current employer
does everything in person on letterhead on paper for that
reason and probably others like "ensuring the employee
really knew their behavior was unacceptable and there were
risks...etc").
the fun part is the issue of "can a system manager go into
e-mail for info at any time?". At a commercial company,
I believe the answer is "perhaps" with a leaning toward
"probably" if the circumstances and internal procedures make
it appropriate to do so.
I also personally believe that snooping around anywhere
for the hell of it just because you have the system privs to
do so is both inappropriate and bordering on unethical.
[...no flame wars about "who are you to determine when the
time is right to do so" please...each person's interpretation
is different.
also no flames about "but it doesn't matter what the
company says, it's not right" because a company's handling
of internal matters via procedure has an easy appeal
procedure...sue the company for violating (insert legal
right here) in their procedures...]
My *understanding* of the situation *here* is that everything
you create and the facilities you use to create them are
the property of the company and that they can basically do
what they wish (again, my understanding of the procedures
rather than my personal reading of them) within bounds.
There are explicit procedures related to what is an acceptable
(and unacceptable) use of company resources in general
and computing in particular with the possible penalties
for violating them spelled out. All employees have to abide
by the procedures or they won't be employees for too long.
And the answer is "no...there aren't any internal net.police
out there reading mail" or I'd have heard about it in 4+ years
of running systems and networks here.
(unless they're REAL good... hey, maybe I should go through
MY mail just to be safe and destroy the backup tapes...
yeah, that's the ticket...Ollie North might still be working
if he had done so, right ?)
--
----------------------------------------------------------------
Vince Skahan
vince@atc.boeing.com ...uw-beaver!bcsaic!vince
(lifelong Phillies fan...pity me)statham@cactus.org (Perry L. Statham) (05/24/91)
In article <15110@ccncsu.ColoState.EDU> conca@handel.cs.colostate.edu (michael vincen conca) writes: >Now for the tough questions. > Is this legal? Is this ethical? If this person still worked >here, I would immediately refuse. But since they don't, do they still >have any rights to their E-mail? Right now, I am leaning towards refusing >because I think a person's E-mail is theirs, regardless of their status >with the organization. Anyone have any other opinions on this? You're right. It is a tough question. It seems to come down to two parts though - does whoever owns the hardware have a right to read another another persons mail reqardless if that person still has access to the mail. Let me phrase my opinion by phrasing the question another way. Suppose you go accross the hall, tell your boss Joe that you want to write a letter to your sweetheart during your lunch hour, and you need to borrow a piece of paper, a stamp, an envelope and a pen from Joe Boss. With these items you go back to your office and write the letter. Now, Joe Boss gets mad at you for some reason or another and fires you before you have a chance to mail the letter (you accidently leave it on your desk). DOES JOE BOSS HAVE THE RIGHT TO OPEN AND READ THE MAIL EVEN THOUGH IT HE LITTERALLY OWNS EVERYTHING IT WAS WRITEN ON-BY-IN. Absolutly not. The mail should be returned to you. If you would like to let Joe read it then (or even have a copy of it), then it is YOUR DECISION - NOT YOUR EX-BOSS'S. Perry Lee Statham Can statham@cactus.org You (512) 335-3881 <h> Grok (512) 467-1396 <w> It?
jeffl@NCoast.ORG (Jeff Leyser) (05/25/91)
In post <1991May23.172155.28633@decuac.dec.com>, mjr@hussar.dco.dec.com (Marcus J. Ranum) says:
!!kadie@m.cs.uiuc.edu (Carl M. Kadie) writes:
!! All the time, USENET seems to entertain itself by hypothesizing
!!about The Law, and what it SHOULD or should not do, but the sad fact of
!!the matter is that the legal system is designed so that the only way to
!!make a really meaningful statement of fact about a situation is to feed
!!a lawyer and get a decision.
Not so. The only way to make a really meaningful statement of fact about a
situation is to feed a JUDGE and get a decision. Lawyers, like USENET, give
opinions only. Lawyers just get paid a whole lot more.
--
Jeff Leyser jeffl@ncoast.org
Opinions? I thought this was typing practice! leyser@tsa.attmail.combri@kpc.com (Brian Rice) (05/25/91)
In article <1991May24.151412.28103@ms.uky.edu> sean@ms.uky.edu (Sean Casey) writes: >Something just doesn't smell right when an employer posts a notice >saying that all email may be read by the administration. It seems a >cheap way to avoid lawsuits, rather than a more difficult--but better >for the employees--policy that email is private. > >I won't work for a company that doesn't value their employees enough >to let their email stay private. > And as an administrator I must point out the occasion inevitability that I must peruse the header of your returned mail in order to debug fouled up addressing or, (GOD FORBID!) some mistake I may have made in setting up the connections. The fact is, e-mail is not intended to be used for confidential documentation (at this point) and I think it is compassionate of a company to point that fact out to less sophisticated users. Please don't try to equate something as trivial as e-mail management with a something as non-trivial as a company's value on an employee. Brian C. Rice Systems/Network Administrator Kubota Pacific Computer, Inc. 2630 Walsh Ave., Santa Clara, CA 95051 (408) 748-6333 | bri@kpc.com | ..!uunet!kpc!bri
yzarn@lhdsy1.chevron.com (Philip Yzarn de Louraille) (05/26/91)
I recently asked my boss about e-mail privacy and several days later he forwarded to me some news articles which described several employees who had sued their company because of "eavesdropping" on their e-mail which they considered private. The employees lost. The couts sided with the company: basically speaking, the computers, the network and their use belong to the company. Since the employees also work for the company, then they should not use e-mail fro private business/use. -- Philip Yzarn de Louraille Internet: yzarn@chevron.com Research Support Division Unix & Open Systems Chevron Information & Technology Co. Tel: (213) 694-9232 P.O. Box 446, La Habra, CA 90633-0446 Fax: (213) 694-7709
sean@ms.uky.edu (Sean Casey) (05/26/91)
bri@kpc.com (Brian Rice) writes:
[Explains that systems people must sometimes look at mail headers,
that email is not to be used for confidential documentation, that
employers are compassionate when they point this out, and that I have
confused email management with how a company values its employees.]
I have to agree with the first. I'm a systems programmer for a WAN
that passes thousands of messages a week. All of the mail software
I've seen (including Unix mailers like MMDF and sendmail), generally
only write headers when they display debugging info. The body is
usually useless for problem determination; I don't even want to see
it.
I don't feel that I should read the body of a message unless it is
absolutely necessary, which is almost never. If I did, and it weren't
required to keep mail running, I'd expect to be terminated or strongly
disciplined for a serious breach of our users privacy.
What email "should" be used for, and what people expect to use it for
are sometimes two different things. Just because a company owns the
equipment is not ethical license to define extremely narrow uses or to
read employee mail. Most people would find such a policy unreasonable.
Remember, just because it may be legal doesn't make it right.
If a company said it was going to rifle your desk and your company car
whenever it felt that it was its advantage to do so, how would you
feel? What if they said they'd steam open your mail? Or that they
would tap your telephone at random? Or all of the above? Would you
work there? I wouldn't. I'd find it goddamn insulting.
And I don't think "compassion" is the driving force behind notifying
people their mail can be bugged at any time. I believe it is fear of
litigation. A compassionate company wouldn't bug an employees mail or
tap their telephone or search their office unless there were
extraordinary circumstances and then only in cooperation with the
police. A compassionate company would respect their employees, and
find means of dealing with problems that don't punish the good people.
Companies should remember what goes around comes around. If they want
to attract good people and get them to work, they had better treat
them with professional respect.
Sean
--
** Sean Casey <sean@s.ms.uky.edu>cavrak@kira.UUCP (Steve Cavrak) (05/26/91)
conca@handel.cs.colostate.edu (michael vincen conca): > > Now for the tough questions. > Is this legal? Is this ethical? If this person still worked > here, I would immediately refuse. But since they don't, do they still > have any rights to their E-mail? Right now, I am leaning towards refusing > because I think a person's E-mail is theirs, regardless of their status > with the organization. Anyone have any other opinions on this? > > -Mike > Mike, I think that your approach is the correct one. (The original errors were in sending the notice via email in the first place, and that was compounded by not having a copy. But that is neither here nor there.) What I would do is a. may a copy of the backup tape so that it can be archived in storage. b. state your position to the supervisor. It would be nice if you had a copy of the university's (computer center) policy on this handy, or C. Suggest that the both of your work with the University's Personnel department and Legal Counsel to see what options are available. You may end up with a very big meeting with a lot of folks involved; certainly university computer service folks. D. My own suggestion is that it is best to leave the backup tape untouched (and untouchable) and restore the files only in the face of real legal action. The supervisor doesn't really NEED the copy NOW, s/he just wants it to cover his/her ass IN CASE. Well, the ass is uncovered, and we've all got pictures of it. So learn s/he should learnd to walk around that way with pride and dignity -- s/he might just start a fashion trend !! In all likelyhood, the employee will go off and get another job elsewhere. If there is an appeal, then the supervisor will have to admit to a less than perfect implementation of his/her decision (not really a serious error in any case -- since there must be other documentation on the case). At this point, you would get to the first NEED for a document, and the whole thing would be brought up as in C, but C would have prepared everyone for this in anycase and may have even thought up an answer. See ya Steve
khushro@caen.engin.umich.edu (Khushro Shahookar) (05/27/91)
>ECPA of 1986 > CHAPTER 121. STORED WIRE AND ELECTRONIC COMMUNICATIONS AND > TRANSACTIONAL RECORDS ACCESS This does not give any thing of much use for protecting privacy. We know that computer privacy should be protected, but the law is not powerful enough to guarantee that. I guess the words "electronic communication in electronic storage in an electronic system" can be stretched to include email, although the excerpts have not mentioned the words "computer" or "mail" one single time. >(a) Offense. Except as provided in subsection (c) of this section Note the exceptions the violators can worm their way into. > (1) intentionally accesses without authorization a >facility through which an electronic communication service is >provided; or The key here is "without authorization". The boss can authorize any thing in a company, since he owns the company and the computers. So how do you determine what is autorized and what is unauthorized? >(c) Exceptions. Subsection (a) of this section does not apply with >respect to conduct authorized- > (1) by the person or entity providing a wire or electronic >communications service; Who is providing the email service? Is it the system administrator? If so, the law says that he can read any one's mail. It is kind of like no privacy from the mail man. Is the company's boss, or the company itself providing the email service, along with all the computer equipment? if so, then the boss can have any one's email read. That is like saying that the federal government can read any one's US mail, since it is providing the service. -KHUSHRO So much news, so little time ...
braun@dri.com (Kral) (05/28/91)
In article <15110@ccncsu.ColoState.EDU> conca@handel.cs.colostate.edu (michael vincen conca) writes:
[stuff about when is it legal/ethical to read email].
Here is what our Personnel department says, based upon various legal documents
and privacy seminars she, er, they have attended:
email and files in users directories are treated the same as employees desks.
They may contain "private" stuff, or stuff necessary to company operations.
Like desks, computer files are not the employee's property. BUT, if the
company (university, etc) gives the employees the impression that it is
private, then goes and looks, an invasion of privacy suit could hold up.
So I publish a memo once or twice a year that says this: files are not private.
We have the right to look at them any time we think it is necessary to carry
out our jobs; especially since we have certain obligations to the net.
But I also tell my employees this: if I ever catch them poking around in other
peoples files without good business reasons, they will be terminated
immediately. They have more important things to do with there time.
Our legal counsel and our personnel department agree with this policy.
--
kral * 408/647-6112 * ...!uunet!drivax!braun * braun@dri.com
Whoever is calm and sensible
is insane
-- Rumikadie@m.cs.uiuc.edu (Carl M. Kadie) (05/28/91)
braun@dri.com (Kral) writes: [...] >Here is what our Personnel department says, based upon various legal documents >and privacy seminars she, er, they have attended: >email and files in users directories are treated the same as employees desks. >They may contain "private" stuff, or stuff necessary to company operations. >Like desks, computer files are not the employee's property. BUT, if the >company (university, etc) gives the employees the impression that it is >private, then goes and looks, an invasion of privacy suit could hold up. >So I publish a memo once or twice a year that says this: files are not >private. >We have the right to look at them any time we think it is necessary to carry >out our jobs; especially since we have certain obligations to the net. Disk space should be given the same status as desk space. But, are you giving disk space its due? Many universities, as a matter of policy, say explicitly that faculty and student office space is *private*. - Carl p.s. What obligations to the net require you to deny privacy to faculty and students? -- Carl Kadie -- kadie@cs.uiuc.edu -- University of Illinois at Urbana-Champaign
david@talgras.UUCP (David Hoopes) (05/28/91)
In article <15110@ccncsu.ColoState.EDU> conca@handel.cs.colostate.edu (michael vincen conca) writes: > >Yesterday, this employee was terminated. He/she was allowed to gather >their things and purge all of their personal files from the system. Today, >my boss asked if it would be possible to retrieve this employee's E-mail >off of backup, find the memo, and print it out in case it was needed as >evidence in a possible court case. > >Now for the tough questions. > Is this legal? Is this ethical? If this person still worked >here, I would immediately refuse. But since they don't, do they still >have any rights to their E-mail? Right now, I am leaning towards refusing >because I think a person's E-mail is theirs, regardless of their status >with the organization. Anyone have any other opinions on this? > > -Mike > Assuming that the system is one that is provided by the employeer (not a "Public" facility. Then IMHO it is legal. The employeer owns the contents of that system including mail. Is it ethical, yes. I tell all of the users on my systems that I can and will read anything that gets put on the system. My main reason for doing this is to ensure that they know that mail is not secure. If I where you I would point out to your boss that e-mail should not be used used for that kind of memo. I have never gone snooping in users mail ( I have work to do) but I would not hesitate to do so if I had any reason to. If I was your boss and I ask you to get something out of somesones mail box for a good reason like the one stated and you refused to do it, you would be the next guy out the door. And it wouldn't matter it the person still worked for the company or not. On the other hand if the boss did not have a good reason for snooping then I would resist. If he/she insisted I would do it but I would make sure that the person that was being snooped found out about it. Again this only applys to systems that are owned and operated by the company for employees to do company work on. Public systems are a whole differant ball game. -- --------------------------------------------------------------------- David Hoopes Tallgrass Technologies Inc. uunet!talgras!david 11100 W 82nd St. Voice: (913) 492-6002 x323 Lenexa, Ks 66214
eifrig@cs.jhu.edu (Jack Eifrig) (05/28/91)
More in the ongoing privacy debate: In article <80@talgras.UUCP> david@talgras.UUCP (David Hoopes) writes: > >Assuming that the system is one that is provided by the employeer (not a >"Public" facility. Then IMHO it is legal. The employeer owns the contents >of that system including mail. Bluntly, your (or my) opinion on the legality of such snooping is really of no interest; neither of us is a lawyer practicing in this area. >Is it ethical, yes. I tell all of the users on my systems that I can and will >read anything that gets put on the system. My main reason for doing this is >to ensure that they know that mail is not secure. If I where you I would >point out to your boss that e-mail should not be used used for that kind >of memo. I have never gone snooping in users mail ( I have work to do) but >I would not hesitate to do so if I had any reason to. "Any reason"? You mean like mere curiosity? And you claim this is ETHICAL? It's people like you that make encryption technology necessary. >David Hoopes Tallgrass Technologies Inc. >uunet!talgras!david 11100 W 82nd St. >Voice: (913) 492-6002 x323 Lenexa, Ks 66214 I'll keep this in mind if I ever happen to come in professional con- tact with you. This one's for you, Dave: -------------------------------------------------------------------------------- "As someday it may happen that a victim must be found, I've got a little list - I've got a little list Of society offenders who might well be under ground And who never would me missed - who never would be missed." - W.S. Gilbert, "The Mikado" --------------------------------------------------------------------------------
mcmahan@cs.unca.edu (Scott McMahan) (05/29/91)
In a very, very confusing article, Mike Conca writes: >I am the system administrator for a group of research scientists in the >psychology department here. Today I was presented with a rather touchy >situation: and it is explained: >Aproximately 1 month ago, a certain employee was advised that he/she was >was acting in an inappropriate manner and that they needed to make >certain adjustments in their attitude. A meeting was held between the head Whose attitude is being adjusted? The ones complaining or the one acting inappropriately? It is clear that either could expect the other to change, but not clear which is complaining. >Now for the tough questions. > Is this legal? Is this ethical? If this person still worked >here, I would immediately refuse. But since they don't, do they still >have any rights to their E-mail? Right now, I am leaning towards refusing >because I think a person's E-mail is theirs, regardless of their status >with the organization. Anyone have any other opinions on this? > -Mike Is all the E-Mail owned and read collectively, or is it considered the property of each person? Did all the people involved quit at the same time? -------------------------------------------------------------------- Scott McMahan mcmahan@cs.unca.edu #include <stddisclaimer.h> ---------------------------------------------------------------------
marchany@vtserf.cc.vt.edu (Randy Marchany) (05/29/91)
In article <eifrig.675445250@voronoi.cs.jhu.edu> eifrig@cs.jhu.edu (Jack Eifrig) writes: > Bluntly, your (or my) opinion on the legality of such snooping is >really of no interest; neither of us is a lawyer practicing in this area. > Amen. The Electronic Mail Association sponsored a white paper on the privacy of electronic mail in companies. I list some papers for those that are interested and ask the group to direct their energies toward developing procedures for educating our respective user communities on responsible computer use. Here are some references for those who interested: 1. D.Johnson, J. Podesta, "Formulating a Company Policy on Access to and Disclosure of Electronic Mail on Company Computer Systems", Available from The Electronic Mail Assoc., 1555 Wilson Blvd, Suite 555, Arlington, VA 22209, 703-522-7111, 10/22/90 2. J. Linn, "Privacy Enhancement for Internet Electronic Mail", Part I is listed as RFC 1113, Part II is listed as RFC 1114, IAB Privacy Task Force, 8/89. Part III is listed as RFC 1115. 3. D. Parker, S. Swope, B. Baker, "Ethical Conflicts: Information and Computer Science, Technology and Business", QED Information Sciences Inc., Wellesley, MA 4. Internet Activities Board (IAB), "Ethics and the Internet", RFC 1087 appears in Comm. of the ACM, V32, No.6, p.710, 6/89. 5. MIT, "Teaching Students about Responsible Use of Computers, reprinted in the Comm. of the ACM, v32, No.6, p.704, 6/89 6. The National COmputer Security Center (NCSC) has a number of docs available from the Superintendent of Documents, NCSC, 9800 Savage Rd., Ft. Meade, MD 20755-6000. - CSC-STD-002-85, 4/12/85, DOD, "Password Management Guideline", 7. American Bar Assoc., Section of Science and Technology, "Guide to the Prosecution of Telecommunication Fraud by the Use of Computer Crime Statutes", ABA, 1989 The University of New Mexico has a collection of ethics docs via FTP, IP address 129.24.8.1 under the /ethics dir. -Randy Marchany VA Tech Computing Center Blacksburg, VA 24061 Internet: marchany@vtserf.cc.vt.edu
sean@ms.uky.edu (Sean Casey) (05/29/91)
eifrig@cs.jhu.edu (Jack Eifrig) writes: |In article <80@talgras.UUCP> david@talgras.UUCP (David Hoopes) writes: |>Is it ethical, yes. I tell all of the users on my systems that I can and will |>read anything that gets put on the system. My main reason for doing this is |>to ensure that they know that mail is not secure. If I where you I would |>point out to your boss that e-mail should not be used used for that kind |>of memo. I have never gone snooping in users mail ( I have work to do) but |>I would not hesitate to do so if I had any reason to. | "Any reason"? You mean like mere curiosity? And you claim this is |ETHICAL? It's people like you that make encryption technology necessary. I'd guess offhand that two-thirds of the computer crimes ever perpetrated have been motivated by curiosity. And I'm probably guessing low. Managers never get curious. Systems programmers have faultless ethics and would never peek at users mail for thrills. There's no social dynamics in an office. No bait ever for someone who wants to peek. Right? Or look at it another way: Most people think it's okay for someone to want privacy, and that such a want does not imply guilt. And most people will say that it is wrong to violate someone's privacy without extraordinary reasons. If I own a bus, and make blacks sit in the back, am I ethically correct because it is *my* bus? Owning the equipment does not make it right. If it does, it makes any abuse of persons right. One might as well shoot them in the head. Sean -- ** Sean Casey <sean@s.ms.uky.edu>
lee@wang.com (Lee Story) (05/29/91)
In article <7129@cactus.org> statham@cactus.org (Perry L. Statham) writes: In article <15110@ccncsu.ColoState.EDU> conca@handel.cs.colostate.edu (michael vincen conca) writes: >Now for the tough questions. > Is this legal? Is this ethical? If this person still worked >here, I would immediately refuse. But since they don't, do they still >have any rights to their E-mail? Right now, I am leaning towards refusing >because I think a person's E-mail is theirs, regardless of their status >with the organization. Anyone have any other opinions on this? It seems to come down to two parts though - does whoever owns the hardware have a right to read another another persons mail reqardless if that person still has access to the mail. Finally someone in this long thread has chosen to comment on the ethical issue, and has enough sense to know that the law and the economy do not determine ethics. People have been fired for opposing the monitoring of email (as, I'm sure, people have been fired for refusing to monitor paper inter-office mail). You take your chances. Civil liberties may not be important to you, or you may be desperate to keep your job. Nonetheless, if users have been given the impression, explicitly or by implicit convention, that they are using an unmonitored channel of communications, it seems unethical to make use of that channel's incidental characteristics (e.g., backup copies) for any purpose other than such communications. Does this mean that government wiretapping, and spying of all kinds, is unethical? Yes, I think it does. Here, law (what a government will allow in the self-interest of the governors) and ethics part company. My opinions are my own. It's pretty clear that no corporation or agency, and certainly no politician, would approve this sort of thing. -- ------------------------------------------------------------------------ Lee Story (lee@wang.com) Wang Laboratories, Inc. (Boston and New Hampshire AMC, and Merrimack Valley Paddlers) ------------------------------------------------------------------------
braun@dri.com (Kral) (05/29/91)
In article <LEE.91May28164840@meercat.wang.com> lee@wang.com (Lee Story) writes: > >Finally someone in this long thread has chosen to comment on the ethical >issue, and has enough sense to know that the law and the economy do not >determine ethics... >Nonetheless, if users have been given the impression, explicitly or >by implicit convention, that they are using an unmonitored channel of >communications, it seems unethical to make use of that channel's >incidental characteristics (e.g., backup copies) for any purpose other >than such communications. [I'm not a lawyer, nor am I in the legal profession, so I can't speak authoritatively on this subject; but I have discussed this at length with our legal department and our Human Resources dept.] In this case, at least as far as California is concerned, they are one in the same. If you give your employees the impression that email is a private communication channel, you may get zapped if you fire someone using information obtained by snooping therein. (I seem to recall that backups of email played a very large part in the IRAN CONTRA scandal -- some operator realized that they had copies of all the email that one of the big whigs [Casey?] had deleted). -- kral * 408/647-6112 * ...!uunet!drivax!braun * braun@dri.com "Talking trash, touching on truth" -- Micheal Hedges
rmarks@KSP.Unisys.COM (Richard Marks) (05/29/91)
I remember reading an article in the Wall Street Journal several months ago. I think it was one of the short column 5 vignettes about Law. Some employee had his desk files searched by his employer. It was declared legal. The files, the desk, and the building were owned by the employer. I do not remember all the details - like if a file explicitly labeled "Personnel - not realted to company business" was searched. But this is an interesting indication that e-mail may not be private. SOmeone posted excerpts from some Communications Act relating to privacy of electronic communications. The basic paragraphs had phrases like "authorized". Perhaps the company is authorized? Regards, Richard Marks
rodgers@clausius.mmwb.ucsf.edu (05/30/91)
The ethics and legality pertaining to the privacy of electronic mail are subtle and important issues. As regards ethics: Surely, the ethicality of reading other people's mail depends upon the specific setting. Where a machine is owned by a commercial or government enterprise and is clearly provided as a tool for the work of its employees, there may be grounds for acting as if all information on that machine is the property of the collective body concerned. However, given the scope for ambiguity here, it would still seem desireable to somehow make this explicitly clear to users--as, for example, with a one-line notice upon login or the invokation of the mail program. Where the rights and responsibilities of all parties are spelled out in advance, there is less scope for ethical murkiness. Even where it was stated that a host could be used for personal communications, there might be limitations placed upon users--as for example, with regard to the amount of system resources (esp. disk space) to be allowed such uses. This could lead to a situation where information would have to be archived or destroyed to free communal resources. Again, a clear (preferably written) policy would help alleviate future problems. As a joint system administrator/researcher in an academic research setting, I personally feel it a sacred duty to avoid any situation where I could even accidentally read another person's mail, which I consider to be private information. I am not certain that the Regents of UC share this opinion. Furthermore, I am troubled by the possibility that other users do not share this point of view, and by the ease with which a determined user could invade the privacy of others. To the extent that I do not take explicit action to prevent such abuses, I suppose that I share the blame. One technical point which has been insufficiently discussed here is the "secretmail" mechanism of certain (all?) UNIX hosts. I have not experimented with this, but as I understand, this uses a DES-like mechanism to send mail securely. I don't know how it is stored at either end (perhaps the encryption applies only to transmission?). A good technical discussion is in order here, conducted by someone more knowledgable than myself. As regards legality: the discussion thus far has been notable for the lack of participation by someone with legal training. Does anyone know a lawyer who might be interested in providing a more informed opninion on this point? Cheerio, Rick Rodgers R. P. C. Rodgers, M.D. (415)476-2957 (work) 664-0560 (home) UCSF Laurel Heights Campus UUCP: ...ucbvax.berkeley.edu!cca.ucsf.edu!rodgers 3333 California St., Suite 102 Internet: rodgers@maxwell.mmwb.ucsf.edu San Francisco CA 94118 USA BITNET: rodgers@ucsfcca
bzs@world.std.com (Barry Shein) (05/30/91)
> Is this legal? Is this ethical? If this person still worked >here, I would immediately refuse. But since they don't, do they still >have any rights to their E-mail? Right now, I am leaning towards refusing >because I think a person's E-mail is theirs, regardless of their status >with the organization. Anyone have any other opinions on this? Something to consider: Take the backed up e-mail and send it (tapes or whatever) to the company's corporate counsel with a cover letter explaining the situation as best you can and without being overly colorful. You can then choose whether or not to agree to provide technical assistance in moving it to a more convenient media if requested in writing from corporate counsel or equivalent. Save any correspondence. That would get you off any legal hook as others have made the decision, it doesn't sound to me like you have the authority within the company to make such a decision. What if the employee later sued the company for invasion of privacy? Would it be fair for them to say that you provided the e-mail? Remember, rats desert sinking ships fast, if it got to court there'd be a good chance that everyone would try to blame whoever recovered the mail ("We didn't know where he got this from...") As to the ethical matters that remain, you'd have to search your own conscience. There is a real issue of employees leaving, particularly not in the most congenial circumstances, and the fear/belief/knowledge that real business is coming into their e-mail box that needs to be attended to (e.g. customers who need to be redirected to new staff.) I think it's safe to assume that it's the responsibility of the employee to inform personal correspondents that the mailbox is no longer valid for personal mail. There's a fine line there, but it's important to make a cut-off and make it clear to staff when this would be (say, one week after leaving we consider any new correspondence in your mailbox our property and assume it to be only business correspondence which needs to be attended to.) It's also a good reason to try to cut off employee-employer relations as amicably as possible, but lord knows I know how hard that can be. The same sort of problem arises with paper mail and ex-employees who might be receiving business correspondence to their name. -- -Barry Shein Software Tool & Die | bzs@world.std.com | uunet!world!bzs Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD
phil@brahms.amd.com (Phil Ngai) (05/31/91)
None of the responses to this question seem to consider the fact that the email which he was asked to retrieve was sent by the same person who wants it. If the sender had made a carbon copy, this wouldn't be necessary. But since the sender wrote the memo in the first place, is this really a violation of privacy in the sense that the sender would learn something he didn't already know? -- The media is in the business of distorting people's perception of reality, by emphasising the out of the ordinary.
rodney@sun.ipl.rpi.edu (Rodney Peck II) (05/31/91)
In article <1991May30.203700.25025@amd.com> phil@brahms.amd.com (Phil Ngai) writes: >None of the responses to this question seem to consider the fact that >the email which he was asked to retrieve was sent by the same person >who wants it. If the sender had made a carbon copy, this wouldn't be >necessary. But since the sender wrote the memo in the first place, is >this really a violation of privacy in the sense that the sender >would learn something he didn't already know? I think so -- since the sender didn't bother to make himself a CC, he's really just out of luck. If I fax something to you as my employee and throw away the original, can I rummage through your office when you are fired to get a copy of the fax? no. How is strolling through the backup tapes any different? -- Rodney
chip@osh3.OSHA.GOV (Chip Yamasaki) (05/31/91)
In <9tnh_wg@rpi.edu> rodney@sun.ipl.rpi.edu (Rodney Peck II) writes: >In article <1991May30.203700.25025@amd.com> phil@brahms.amd.com (Phil Ngai) writes: >>None of the responses to this question seem to consider the fact that >>the email which he was asked to retrieve was sent by the same person >>who wants it. If the sender had made a carbon copy, this wouldn't be >>necessary. But since the sender wrote the memo in the first place, is >>this really a violation of privacy in the sense that the sender >>would learn something he didn't already know? >I think so -- since the sender didn't bother to make himself a CC, he's >really just out of luck. If I fax something to you as my employee and >throw away the original, can I rummage through your office when you are >fired to get a copy of the fax? no. How is strolling through the >backup tapes any different? But he wouldn't necessarily have to stroll through the backup tapes. Certainly nobody could object to a script reading the mail. It's just a human reading it or data extracted from it that people object to. The sysadmin could write a script to search messages for only the one selected message. Then, when he is absolutely sure that he has extracted the right one he has done so without "rummaging" through the former employees mail. This still does not answer the question of whether it is acceptable, legally or ethically, to read that one message, but it certainly does get that one message without and grounds for complaint. -- -----------------------+--------------------------------------------------- Charles "Chip" Yamasaki| The opinions expressed here are my own and are not chip@oshcomm.osha.gov | supported or even generally accepted by OSHA. :-) -----------------------+---------------------------------------------------
david@talgras.UUCP (David Hoopes) (05/31/91)
In article <9tnh_wg@rpi.edu> rodney@sun.ipl.rpi.edu (Rodney Peck II) writes: >In article <1991May30.203700.25025@amd.com> phil@brahms.amd.com (Phil Ngai) writes: [stuff deleted] >>But since the sender wrote the memo in the first place, is >>this really a violation of privacy in the sense that the sender >>would learn something he didn't already know? > >I think so -- since the sender didn't bother to make himself a CC, he's >really just out of luck. If I fax something to you as my employee and >throw away the original, can I rummage through your office when you are >fired to get a copy of the fax? no. ^^ Why not. Assuming that the desk/office are on company property (assume that the person you faxed works for the same company that you do). What would keep that persons ex-boss from doing just that. Nothing. It is done all the time. We keep the files of ex employees for a long time. I have had reason to go thru some of them to get information that I needed to complete my work such as activeation keys, serial numbers, and passwords that where in the care of the ex-employee. I don't think that anyone can argue that those things belonged to the company and that I had legitamite need for that information. What is differant about an inter office memo, fax, or E-Mail? None. It belongs to the company. If someone has a reason to need something in that persons old e-mail restore it and go thru it. -- --------------------------------------------------------------------- David Hoopes Tallgrass Technologies Inc. uunet!talgras!david 11100 W 82nd St. Voice: (913) 492-6002 x323 Lenexa, Ks 66214
les@chinet.chi.il.us (Leslie Mikesell) (05/31/91)
In article <9tnh_wg@rpi.edu> rodney@sun.ipl.rpi.edu (Rodney Peck II) writes: >I think so -- since the sender didn't bother to make himself a CC, he's >really just out of luck. If I fax something to you as my employee and >throw away the original, can I rummage through your office when you are >fired to get a copy of the fax? no. How is strolling through the >backup tapes any different? Hmmm... Suppose you deserve a refund over some business matter and you send the details by mail/fax/email to someone who quits or is fired before handling it. Would you accept the excuse from the company that "we can't give you your money because we wouldn't feel right about rummaging through this ex-employee's office"? How is an internal memo any different? In a business situation wouldn't you expect someone to check for any unfinished business? What about new mail/fax/email that comes in after the person leaves? Les Mikesell les@chinet.chi.il.us
braun@dri.com (Kral) (06/01/91)
In article <9tnh_wg@rpi.edu> rodney@sun.ipl.rpi.edu (Rodney Peck II) writes: >I think so -- since the sender didn't bother to make himself a CC, he's >really just out of luck. If I fax something to you as my employee and >throw away the original, can I rummage through your office when you are >fired to get a copy of the fax? no. How is strolling through the >backup tapes any different? I really wish people would ask their Personnel and/or Legal departments before posting stuff like this. If you keep personal stuff in/on company property, then (*unless* you've been led to believe otherwise) it is *not* private. This has been held up on many occasions in court, and makes perfect sense, at least to me. I don't see how this can be construed as an invasion of privacy. That's what *personal* property is for (*your* personal property, now someone else's). -- kral * 408/647-6112 * ...!uunet!drivax!braun * braun@dri.com "Talking trash, touching on truth" -- Micheal Hedges "1-900-I-LUV-YOU"
herrickd@iccgcc.decnet.ab.com (06/01/91)
In article <15110@ccncsu.ColoState.EDU>, conca@handel.cs.colostate.edu (michael vincen conca) writes: > > Aproximately 1 month ago, a certain employee was advised that he/she was > was acting in an inappropriate manner and that they needed to make > certain adjustments in their attitude. A meeting was held between the head > manager and this employee in which the above issue was discussed. All of > this was summarized in a memo which was E-mailed to the employee. > > Yesterday, this employee was terminated. He/she was allowed to gather > their things and purge all of their personal files from the system. Today, > my boss asked if it would be possible to retrieve this employee's E-mail > off of backup, find the memo, and print it out in case it was needed as > evidence in a possible court case. > Here are some suggested actions: 1. With the permission of the sender of the memo, go through his backups to find his copy of the memo and provide it to management. 2. For your own protection, isolate a backup containing the employee's copy of the memo and preserve that backup in a bank vault somewhere. Tell management that you expect you would be able to produce it in response to a subpoena, but don't think it is appropriate to do so without legal compulsion. ("You expect" means there is a good copy that you could swear is a correct copy preserved where you think it will not be destroyed accidentally or intentionally.) 3. Take some precautions (unusual but not draconian) to protect the security of the working backups containing the ex employee's files. (Security against unauthorized access and security against tampering.) If the author did not keep a copy long enough for it to get into an overnight backup, give him a gentle education in the proper use of mail. With or without the author's copy, item two above should satisfy your management and satisfy your conscience with respect to proper treatment of private communications that pass through your hands. dan herrick herrickd@iccgcc.decnet.ab.com
sbrack@bluemoon.uucp (Steven S. Brack) (06/03/91)
braun@dri.com (Kral) writes: > In article <9tnh_wg@rpi.edu> rodney@sun.ipl.rpi.edu (Rodney Peck II) writes: > >I think so -- since the sender didn't bother to make himself a CC, he's > >really just out of luck. If I fax something to you as my employee and > >throw away the original, can I rummage through your office when you are > >fired to get a copy of the fax? no. How is strolling through the > >backup tapes any different? > > I really wish people would ask their Personnel and/or Legal departments befor > posting stuff like this. If you keep personal stuff in/on company property, > then (*unless* you've been led to believe otherwise) it is *not* private. Th > has been held up on many occasions in court, and makes perfect sense, at leas > to me. I don't see how this can be construed as an invasion of privacy. > That's what *personal* property is for (*your* personal property, now someone > else's). It might help to look at this as a paper memoin an employee's desk. Now, if the employee left it there, then it's fairly obvious that the company has claim on it. But, in this case, it's a question of retrieving the document from backup. That would be more akin to the company going through an employee's desk, without his knowledge, & photocopying anything in it. A company's right to keep copies of personal material without the knowledge or consent of the employees is questionable, to say the least. We could also look at it as being a personal letter the employee took with him when he left (assuming thee-mail was deleted by the employee before his termination), & is now needed for "legal" reasons. In that case, a search & seizure warrant would be required. The use of e-mail is so analogous to paper mail that it is often easier to apply familliar standards that fit quite well, than to invent a new standard. While this does reduce the scope of the problem, the essential question remains: is using archives of employee mail, which the employees probably never consented to, legal? Personally I think it's unethical for a sysadmin to use his tools to access users' personal e-mail without their permission, or a search warrant. If the document is essential to the case, then it is part of the power of discovery to order relevant documents produced, but the relevence & essential nature of the document would have to be decided by an (impartial) judge. I'm not a lawyer, but I have read extensively on privacy law. =========================================================================== Steven S. Brack sbrack@bluemoon.uucp The Ohio State University sbrack%bluemoon@nstar.rn.com sbrack@isis.cs.du.edu ===========================================================================
res@colnet.uucp (Rob Stampfli) (06/03/91)
> Prehaps I should keep valuables locked > up (a sad commentary on our society) but one can not 'lockup' messages > from the privelaged account holder (root). If you are truly interested in protecting your computer valuables, I'm afraid it's not root you have to be concerned with, it is Senator Biden. -- Rob Stampfli, 614-864-9377, res@kd8wk.uucp (osu-cis!kd8wk!res), kd8wk@n8jyv.oh
gary@sci34hub.sci.com (Gary Heston) (06/04/91)
In article <51171@prls.UUCP> sccs@prls.UUCP (Source Code Control System) writes: > > I view the computer as an extention of my desk. The > company may own the desk, the envelope and even the paper but they still > have no right reading my mail. Sure they do. Check the postal regulations--if it's addressed to you at work, even if their name isn't on the envelope, even if it's marked "personal". Ask anyone at Xerox, it's a policy there (according to a former X-er I've worked with) to open EVERYTHING that comes in. I've had the same problem at a small company; the office manager opened everything. Until he opened something personal addressed to the owner.... :-) > Prehaps I should keep valuables locked > up (a sad commentary on our society) but one can not 'lockup' messages > from the privelaged account holder (root). Sure you can. There's a function called "crypt" that can eliminate your concerns. Being root doesn't allow reading the files once encrypted. > Root's privelages are > available only becouse there exist a genuine administrative need for > them. Using the privelage to read other peoples personal files is an > abuse of those powers and a violation of the trust users expect. I disagree. As an admin, it's my job to look at anything on the system necessary to make sure it's up and running for ALL the users. If that means finding out what a 10MB file cluttering up a spool directory is, and it turns out to be email, fine. What I don't do is read files I don't have reasons or orders to. There are some companies that monitor (i.e., capture a copy of and read) ALL email traffic. We don't, and I'll recommend against it if the question arises. Something else I don't do is talk about what I find in files. That would be a violation of trust. (Resumes and job search letters aren't uncommon, and I have in fact covered for a user in the past, when some files got left somewhere noticable.) Looking when I have to is my job, not an abuse. Forwarding a copy of email on a personal matter to the rest of the company would be. > In the original article, the author wondered if looking for the file > (memo) may be OK since the owner is now an ex-employee. I would argue > that the person may be an ex-employee but he/she is not an ex-person. It > seems doubtfull that the correct file can be found without violating > the account holder's privacy. The point is, the files were LEFT BEHIND by the ex-employee. Therefore, they were of no concern to the ex-employee. When someone here leaves, I generally expect them to clear all personal stuff from their directory, and document what's left. There's no longer any privacy to violate. The only situations I can see where this won't happen are twofold: 1) termination by employer, and 2) death. In either of these cases, once again, it's the admins' job to separate things. Under case 1, I'd try to forward any non-company private stuff, including email, to whoever was fired. Under case 2, I'm not sure what would happen-- I haven't run into it yet, and don't look forward to it. > Prehaps you could contact the individual > and ask if the file exist and if so, ask for the filename. Try a > civil approach first - maybe it will prevent the morality issue altogether. I don't see a morality issue coming up, unless it's unauthorized use of company resources for personal applications. I don't balance my checkbook on this machine, and don't keep personal/confidential stuff on here. There may be some things that are more my interest than the companys' generally technical items or copies of stuff from the net, but not personal items. I don't even keep a copy of my resume on any systems around here. By the way, most ex-employees aren't interested in trying to remember filenames and such after they've left, or answering any type of questions about what they were working on. They did have reasons for leaving, after all. Usually, there's someone who has to take over the work that the departing individual was doing, so they must have access to everything left behind. Unless you think a company should stop a project just because a programmer leaves, to respect their privacy? Should AT&T stop working on UNIX if one of their staff leaves? > I see no problem retrieving the memo IF one knew the file name it had > been saved under, and the request came from the author of the memo. However, mail is generally in a few big files that are conglomerations of many messages, so it'd mean Mr. Admin would have to grep for the senders' name, vi the file to verify that it was the desired message, and copy it out. Which means Mr. Admin is going to see a lot. I think you have an overly idealistic concept of what these computers in the office are for--certainly not for maintaining a confidential, secure place for you to keep mail. If it isn't work related, don't leave it laying around. If it's on a system, expect it to be seen. -- Gary Heston System Mismanager and technoflunky uunet!sci34hub!gary or My opinions, not theirs. SCI Systems, Inc. gary@sci34hub.sci.com I support drug testing. I believe every public official should be given a shot of sodium pentathol and ask "Which laws have you broken this week?".
henderso@mpr.ca (Mark C. Henderson) (06/04/91)
In article <1991Jun3.175631.1451@sci34hub.sci.com> gary@sci34hub.sci.com (Gary Heston) writes:...
->> Prehaps I should keep valuables locked
->> up (a sad commentary on our society) but one can not 'lockup' messages
->> from the privelaged account holder (root).
->
->Sure you can. There's a function called "crypt" that can eliminate your
->concerns. Being root doesn't allow reading the files once encrypted....
I'd just like to point out that the security offered by Unix "crypt" can
be broken rather easily. Try using software that uses a more secure
algorithm.
Mark
--
Mark C. Henderson, Special Service Networks, MPR Teltech Ltd. 8999 Nelson Way,
Burnaby, BC V5A 4B5 CANADA +1 604 293 5474 (voice), +1 604 293 6100 (fax)
Email: henderso@mpr.ca, uunet!ubc-cs!mprgate!hendersobaier@unipas.fmi.uni-passau.de (Joern Baier) (06/04/91)
In article <1991Jun2.200609.16799@colnet.uucp> res@colnet.uucp (Rob Stampfli) writes: >If you are truly interested in protecting your computer valuables, I'm afraid >it's not root you have to be concerned with, it is Senator Biden. As someone who is not familiar with the details of US-politics: Who is Biden? Joern. -- Joern Baier (baier@unipas.fmi.uni-passau.de) Jesuitengasse 9 D-W8390 Passau Tel.: +49/851/35239
baier@unipas.fmi.uni-passau.de (Joern Baier) (06/04/91)
In article <1991Jun3.175631.1451@sci34hub.sci.com> gary@sci34hub.sci.com (Gary Heston) writes: >[...] >Sure you can. There's a function called "crypt" that can eliminate your >concerns. Being root doesn't allow reading the files once encrypted. >[...] From the crypt manual page: CRYPT(1) USER COMMANDS CRYPT(1) RESTRICTIONS This program is not available on software shipped outside the U.S. Has anyone an idea why? Joern. -- Joern Baier (baier@unipas.fmi.uni-passau.de) Jesuitengasse 9 D-W8390 Passau Tel.: +49/851/35239
braun@dri.com (Kral) (06/04/91)
In article <8XJX32w164w@bluemoon.uucp> sbrack@bluemoon.uucp (Steven S. Brack) writes: > It might help to look at this as a paper memoin an employee's >desk. Now, if the employee left it there, then it's fairly obvious that >the company has claim on it. But, in this case, it's a question of >retrieving the document from backup. That would be more akin to the >company going through an employee's desk, without his knowledge, & >photocopying anything in it. Here, and elsewhere, you state that the backups are made without the employee's consent. I disagree with this claim. The company has me back up the files in order to ensure the surviveability of those files in case something happens to them. They pay employees who work on this computer a salary (good, bad, or otherwise) to do company work, not to do personal work. Therefore, they view all files on this computer as work related. If an employee choses to put personal stuff on here, and leave it on long enough for it to get backed up, then they are either knowingly taking their chances, or are just plain stupid (again, we make sure the employees know that their files are *not* private). >Personally I think it's >unethical for a sysadmin to use his tools to access users' personal e-mail >without their permission, or a search warrant. I think this is the crux of the debate: can something kept in a company desk or on a company supplied computer be considered "personal" (to the employee)? Particularly if it were obtained by using company resources (eg: electronic mail paid for by the company). Whereas a radio stored in a desk by an employee clearly belongs to the employee (assuming he bought it), message obtained via company resources are, IMNSHO, clearly the property of the company. (This gets murkier when you consider files whose content was originated by the employee in question -- see discussions on intellectual copyrights, etc). [IMNSHO - in my not so humble opinion] -- kral * 408/647-6112 * ...!uunet!drivax!braun * braun@dri.com "Talking trash, touching on truth" -- Micheal Hedges "1-900-I-LUV-YOU"
rickert@mp.cs.niu.edu (Neil Rickert) (06/04/91)
In article <1991Jun4.144731.685@forwiss.uni-passau.de> baier@unipas.fmi.uni-passau.de (Joern Baier) writes: >From the crypt manual page: > >CRYPT(1) USER COMMANDS CRYPT(1) > > > >RESTRICTIONS > This program is not available on software shipped outside > the U.S. > >Has anyone an idea why? Because of a severe case of the politician's stupidity syndrome. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940
rdippold@cancun.qualcomm.com (Ron Dippold) (06/05/91)
In article <1991Jun4.143313.482@forwiss.uni-passau.de> baier@unipas.fmi.uni-passau.de (Joern Baier) writes: >In article <1991Jun2.200609.16799@colnet.uucp> res@colnet.uucp (Rob Stampfli) writes: >>If you are truly interested in protecting your computer valuables, I'm afraid >>it's not root you have to be concerned with, it is Senator Biden. >As someone who is not familiar with the details of US-politics: Who is Biden? Senator Joe Biden, master of plagarism and sponsor of a bill that reads to the effect of: "Stopping terrorism being necessary, all data, whether transmitted or stored, must be able to be decoded by the government." It's a blatant case of big brother not wanting people to be able to be able to do business without it knowing about it. This comes very close on the trail of the new Motorola cellular phones that let you scramble your conversations so that nobody else can eavesdrop. If it is passed it will likely be ignored, and if they try to enforce it it will probably be declared unconstitutional, or perhaps a big enough stink will be made to get it repealed. But we always have to be on the lookout for this kind of thing. -- Standard disclaimer applies, you legalistic hacks. | Ron Dippold
rdippold@cancun.qualcomm.com (Ron Dippold) (06/05/91)
In article <1991Jun4.144731.685@forwiss.uni-passau.de> baier@unipas.fmi.uni-passau.de (Joern Baier) writes: >From the crypt manual page: >CRYPT(1) USER COMMANDS CRYPT(1) > >RESTRICTIONS > This program is not available on software shipped outside > the U.S. > >Has anyone an idea why? Crypt makes use of the Data Encryption Standard (DES), an encryption technology that is supposedly unbreakable without spending nearly infinite amounts of computer time (although many believe that the National Security Agency purposely weakend the specifications to the point where they _can_ decode it). Anyhow, being a high-tech encryption algorithm, it has been Decreed that it shall not be exported to other countries, because they want to be able to decipher their data if necessary. It's sort of ridiculous, as one of the first implementations of the algorithm that I know of came from Scandinavia (Denmark?). -- Standard disclaimer applies, you legalistic hacks. | Ron Dippold
lewis@tramp.Colorado.EDU (LEWIS WILLIAM M JR) (06/05/91)
Crypt does NOT use the DES algorithm, rather: "... implements a one-rotor machine along the lines of the German Enigma, but with a 256 element rotor..." The stupidity of the export restriction is not ameliorated by this fact.
wolfgang@wsrcc.com (Wolfgang S. Rupprecht) (06/05/91)
rickert@mp.cs.niu.edu (Neil Rickert) writes: >In article <1991Jun4.144731.685@forwiss.uni-passau.de> baier@unipas.fmi.uni-passau.de (Joern Baier) writes: >>From the crypt manual page: >> This program is not available on software shipped outside >> the U.S. >>Has anyone an idea why? > Because of a severe case of the politician's stupidity syndrome. Especially since exporting Enigma cryptographic technology to Germany would be a clear danger to US national security. ;-) Actually it's probably a good thing that the Unix crypt(1) command isn't included in the standard distribution anymore. Unix crypt is pretty easy to break. A few years ago a package called "cbw" (Code Breakers Workbench) was posted to one of the sources groups. With this package one could interactively bash on the crypt generated code. Encrypted mail files, latex files, shell scripts, or anything with a known plaintext section would unravel pretty fast. Using crypt for anything more than its entertainment value is silly. A much better encryption engine based on DES is available from various source archives around the world. From the COPYRIGHT and RENAME files: Copyright 1989 Antti Louko. All Rights Reserved. This is a DES implementation written by Antti Louko (alo@kampi.hut.fi). It is based on DES description found in D.E.R. Denning's book Cryptography and Data Security. At this time you may use this program for non-commercial use. If you modify the program, you must add a comment in the modified file indicating who modified it. For commercial purposes please contact me. This program should compile just fine on VAX with BSD 4.3. On SUNS, you should edit Makerules to include -msoft-float option if you don't have FPU. For other machines you should typedef des_u_long to be an unsigned 32-bit integer type. If processor needs aligned multi-byte accesses, you may have to modify copy* -macros in des-private.h file. -- Wolfgang Rupprecht wolfgang@wsrcc.com (or) uunet!wsrcc!wolfgang Snail Mail Address: Box 6524, Alexandria, VA 22306-0524
martin@mwtech.UUCP (Martin Weitzel) (06/05/91)
In article <1991Jun3.211751.2686@mprgate.mpr.ca> henderso@mpr.ca (Mark C. Henderson) writes: >In article <1991Jun3.175631.1451@sci34hub.sci.com> gary@sci34hub.sci.com (Gary Heston) writes:... >->> Prehaps I should keep valuables locked >->> up (a sad commentary on our society) but one can not 'lockup' messages >->> from the privelaged account holder (root). >-> >->Sure you can. There's a function called "crypt" that can eliminate your >->concerns. Being root doesn't allow reading the files once encrypted.... > >I'd just like to point out that the security offered by Unix "crypt" can >be broken rather easily. Try using software that uses a more secure >algorithm. This has a bit of truth in it - but it's no real solution. Some text encrypted by standard crypt is safe against being read *accidentally* by the sysadmin (eg. during cleaning up lost+found after some disk crash). It is also true that encrypted text can be decrypted with some *effort*. The amount of this effort can vary by far. Usually it's the easier the more parts of the unencrypted text are known or can be guessed. (You may also understand this as a hint how to make your crypted text more secure: Substitute the "keywords" that may be expected in your text by something else.) But it's also true that the sysadmin can easily replace any "super-crypt" command by a program that only calls super-crypt, but stores the used key in some place. You may call such a sysadmin dishonest or helpful, depending on the scenario: Some user whos privacy is broken in this way would surely call this dishonest; a user who once forgets the key for an important file will surely be pleased if the system administrator can help him to save hours (or days and weeks) of retyping all the stuff. (Did I hear you say the latter scenario is quite unrealistic? Nobody would expect from the sysadmin to give him back the clear text of some encrypted file? I'd second that but why the h*** expect people that the sysadmin can give them back the files they just have rm-ed?) -- Martin Weitzel, email: martin@mwtech.UUCP, voice: 49-(0)6151-6 56 83
news@heitis1.uucp (News Administrator) (06/05/91)
In article <1991May26.004112.15971@ms.uky.edu> sean@ms.uky.edu (Sean Casey) writes: ... > >If a company said it was going to rifle your desk and your company car >whenever it felt that it was its advantage to do so, how would you >feel? What if they said they'd steam open your mail? Or that they >would tap your telephone at random? Or all of the above? Would you >work there? I wouldn't. I'd find it goddamn insulting. > Have you ever visited a Gov't building? I try to avoid it but I went to one once ;-). At the entrance to the parking lot is a big sign... All vehicles on this property are subject to search... My wife worked for the Census Bureau. Each day before she left work, for lunch, to smoke a cigarette, whatever, she had to open her purse to be searched, and empty her pockets. Is it ethical? Hell NO! Is it legal? Probably. They tell the people about it up front, and whether you like it or not, thats the rules. Around here, it is understood that I can use the company's computer facilities for anything I want, (So long as the company gets the profit from it :). However, they have the right to use the computers whenever they wish, after all its their equipment. If I don't want them to see all my stuff, it had better be on floppies in my briefcase. (NOTE: this has never happened to me, but the guy they fired last year ...). They once told a couple of people here to delete all games from their PC (in the employee manual games are listed as a firing offense, and the last I heard the guy they caught lost in the higher courts.) They were also told not to create hidden sub-directories, or any other such bullShit to hide the games. Anyway, to make a long story short, he didn't obey their "request". Just some personal experiences, brian
ben@wri.com (Ben Cox) (06/06/91)
rdippold@cancun.qualcomm.com (Ron Dippold) writes: > Crypt makes use of the Data Encryption Standard (DES), an encryption > technology that is supposedly unbreakable without spending nearly > infinite amounts of computer time (although many believe that the > National Security Agency purposely weakend the specifications to the > point where they _can_ decode it). As has been pointed out by others, crypt(1) does not use the DES encryption standard. There is a DES implementation out, though, that someone else mentioned in a post. Something interesting to note, though, appears on page 450 of "The Unix System Administration Handbook" by Evi Nemeth, Scott Seebass, and Garth Snyder (Prentice Hall, 1989, reprinted without permission) in a footnote: Evi broke the Diffie-Hellman key exchange often used with the DES encryption method using a HEP supercomputer in 1984. Although the DES algorithm is quite complicated, nothing crypted with DES can be considered 100% secure. The U.S. government has been (rightly?) accused of blocking adoption of encryption standards that cannot be broken by the NSA. -- Ben Cox ben@wri.com
rdippold@cancun.qualcomm.com (Ron Dippold) (06/06/91)
In article <1991Jun5.035403.7529@colorado.edu> lewis@tramp.Colorado.EDU (LEWIS WILLIAM M JR) writes: >Crypt does NOT use the DES algorithm, rather: > > "... implements a one-rotor machine along the lines of the German > Enigma, but with a 256 element rotor..." > >The stupidity of the export restriction is not ameliorated by this fact. I have heard of newer versions (replacements, perhaps) that use DES. Although I don't know whether or not they are coming as add-ons or are supplied from the "official" vendor. Apparently it's an add-on. -- Standard disclaimer applies, you legalistic hacks. | Ron Dippold
zwicky@erg.sri.com (Elizabeth Zwicky) (06/06/91)
In article <1161@mwtech.UUCP> martin@mwtech.UUCP (Martin Weitzel) writes: >Did I hear you say the latter scenario is quite unrealistic? Nobody would >expect from the sysadmin to give him back the clear text of some encrypted >file? Oh no, you didn't hear *me* say that. We went to a great deal of trouble to set up an encryption procedure that used an encryption we couldn't break, and we spend all sorts of time pointing out to people that once you encrypt things, that's it - no key, no document. We still get calls regularly asking us to decrypt things. When we tell people we can't decrypt them, they usually ask us to just tell them the key, then. A lot of people think that system administration is just magic - this also explains the people who call up and ask angrily why you haven't fixed something yet, and then turn out never to have reported it broken. They think you have a mystical connection to the machine and you will simply *know* when something isn't working. Elizabeth Zwicky zwicky@erg.sri.com
sbrack@bluemoon.uucp (Steven S. Brack) (06/06/91)
braun@dri.com (Kral) writes: > In article <8XJX32w164w@bluemoon.uucp> sbrack@bluemoon.uucp (Steven S. Brack) > > It might help to look at this as a paper memoin an employee's > >desk. Now, if the employee left it there, then it's fairly obvious that > >the company has claim on it. But, in this case, it's a question of > >retrieving the document from backup. That would be more akin to the > >company going through an employee's desk, without his knowledge, & > >photocopying anything in it. > > Here, and elsewhere, you state that the backups are made without the employee > consent. I disagree with this claim. The company has me back up the files i > order to ensure the surviveability of those files in case something happens t > them. They pay employees who work on this computer a salary (good, bad, or > otherwise) to do company work, not to do personal work. Therefore, they view > all files on this computer as work related. If an employee choses to put > personal stuff on here, and leave it on long enough for it to get backed up, > then they are either knowingly taking their chances, or are just plain stupid > (again, we make sure the employees know that their files are *not* private). And if I have personal notes or mail in my desk at the office? Whose is that? If the company feels those documents are provably vital, then it can always get a court order for them, just like it can for paper documents. > >Personally I think it's > >unethical for a sysadmin to use his tools to access users' personal e-mail > >without their permission, or a search warrant. > > I think this is the crux of the debate: can something kept in a company desk > on a company supplied computer be considered "personal" (to the employee)? > Particularly if it were obtained by using company resources (eg: electronic > mail paid for by the company). Whereas a radio stored in a desk by an employ > clearly belongs to the employee (assuming he bought it), message obtained via > company resources are, IMNSHO, clearly the property of the company. > > (This gets murkier when you consider files whose content was originated by th > employee in question -- see discussions on intellectual copyrights, etc). > > [IMNSHO - in my not so humble opinion] Then, if the company wanted to see the manuscipt it lets you use your PC or UNIX account to write, they can? Most employees expect that their employer would treat them as human beings, not as slaves to be constantly monitored. If I sent a document in US Mail to someone, then needed a copy of it, if he wouldn't give me one, then a court order would be my only resort. The situations are fairly analogous. =========================================================================== Steven S. Brack sbrack@bluemoon.uucp The Ohio State University sbrack%bluemoon@nstar.rn.com sbrack@isis.cs.du.edu ===========================================================================
les@chinet.chi.il.us (Leslie Mikesell) (06/06/91)
In article <Nk13311w164w@bluemoon.uucp> sbrack@bluemoon.uucp (Steven S. Brack) writes: > Then, if the company wanted to see the manuscipt it lets you use > your PC or UNIX account to write, they can? Most employees > expect that their employer would treat them as human beings, > not as slaves to be constantly monitored. If I sent a document > in US Mail to someone, then needed a copy of it, if he wouldn't > give me one, then a court order would be my only resort. The > situations are fairly analogous. Did any say anything about this being a personal message?? It's pretty standard business practice to keep a file copy of all outgoing correspondence. (How else are you going to dispute someone's claim that you promised them the moon...). I don't see any problem with the originator, a new person taking over the function, or other responsible parties having access to those file copies - in fact, most businesses would require it to function. Actually I'm surprised that most email systems don't store a file copy as a matter of course. I've considered adding it here. Les Mikesell les@chinet.chi.il.us
braun@dri.com (Kral) (06/06/91)
In article <Nk13311w164w@bluemoon.uucp> sbrack@bluemoon.uucp (Steven S. Brack) writes: > And if I have personal notes or mail in my desk at the office? > Whose is that? It's not that it *belongs* to the company (the paper mail or notes, in this case), but rather that the company has a right to access them *in the course of doing business*; and if that means you are suspected of, for instance, having unauthorized copies of peronnel files in your desk, they can go through your (or rather, the company's) desk looking for them; if they see your notes/mail/whatever, well, they see them. > If the company feels those documents are > provably vital, then it can always get a court order for them, > just like it can for paper documents. Yes, they can get a court order. The point is, they don't have to. > Then, if the company wanted to see the manuscipt it lets you use > your PC or UNIX account to write, they can? Yes. > Most employees > expect that their employer would treat them as human beings, > not as slaves to be constantly monitored. I don't see this as the latter. You seem to feel that if I have a right to access your files/desk, then I will be constantly monitoring you by doing so. I say this: any company that has nothing better to do than *monitor* it's employees is going to fail in the marketplace by the results of its economic inefficiencies. This does not, however, preclude the search through documents in the course of conducting proper business. > If I sent a document > in US Mail to someone, then needed a copy of it, if he wouldn't > give me one, then a court order would be my only resort. The > situations are fairly analogous. I disagree. In the US mail example, you are not using someone else's resources to write and save the document. You are using a U.S. Government service that explicitly states confidentiality. And note this: if the government suspects you of illegally using the U.S. Mail, they will check out the contents of your mail. (Illegally or otherwise; I don't know off hand what the legality of government snooping on mail is, but if you are sending drugs through the mail, for example, and yell foul when you get caught, well... I think I consider that "evolution in action"). -- kral * 408/647-6112 * ...!uunet!drivax!braun * braun@dri.com "Talking trash, touching on truth" -- Micheal Hedges "1-900-I-LUV-YOU"
tmurray@socrates.umd.edu (tony murray) (06/06/91)
>In article <15110@ccncsu.ColoState.EDU>, conca@handel.cs.colostate.edu (michael vincen conca) writes: >> >> Yesterday, this employee was terminated. He/she was allowed to gather >> their things and purge all of their personal files from the system. Today, >> my boss asked if it would be possible to retrieve this employee's E-mail >> off of backup, find the memo, and print it out in case it was needed as >> evidence in a possible court case. >> With all the arguments going back and forth about a company's rights versus the employees right to privacy, it seems to have been forgotten that the employee in the original example was _given_an_opportunity_ to purge all his/her personal files. They were given a chance to get rid of materials they did not want to leave behind for others to see. While I agree that a company official has the right to retrieve backed-up files, I think they forfeited that right when they gave the employee the opportunity to remove personal items. I think that to go back and dig something up that someone has thrown away (even though it's actually coming from a backup file, the employee intended that it be removed, else s/he wouldn't have deleted it) is a violation of implicit trust. If you are giving someone an opportunity to throw out old personal materials, isn't it implied that you are not going to go rummaging through the trash they put in the dumpster? --Tony (tmurray@socrates.umd.edu)
scotts@qsp.COM (Scott Simpers) (06/07/91)
It's one thing for an employer to do something they told you they were going to do (search your purse, fire you for having games). You were told when you started working for them. It is quite another matter for an employer to start doing these sorts of things AFTER you start. It is probably true that if they give you reasonable warning that they are going to do it, they can. I would equate that to a credit card company changing the terms of the agreement. If you don't like the change, discontinue the card. If you don't like the job, find a new one. I don't mean to imply that it is as easy to change jobs as it is credit cards, but I hope you get the general idea. Scott Simpers Quality Software Products voice: (213)410-0303 5711 W Slauson Avenue Suite 240 fax: (213)410-0124 Culver City, CA 90230 ...uunet!qsp!scotts
leonard@qiclab.scn.rain.com (Leonard Erickson) (06/07/91)
conca@handel.cs.colostate.edu (michael vincen conca) writes:
<Aproximately 1 month ago, a certain employee was advised that he/she was
<was acting in an inappropriate manner and that they needed to make
<certain adjustments in their attitude. A meeting was held between the head
<manager and this employee in which the above issue was discussed. All of
<this was summarized in a memo which was E-mailed to the employee.
<Yesterday, this employee was terminated. He/she was allowed to gather
<their things and purge all of their personal files from the system. Today,
<my boss asked if it would be possible to retrieve this employee's E-mail
<off of backup, find the memo, and print it out in case it was needed as
<evidence in a possible court case.
<Now for the tough questions.
< Is this legal? Is this ethical? If this person still worked
<here, I would immediately refuse. But since they don't, do they still
<have any rights to their E-mail? Right now, I am leaning towards refusing
<because I think a person's E-mail is theirs, regardless of their status
<with the organization. Anyone have any other opinions on this?
You are overlooking one detail. The *sender* of the email has rights to it
too. He *should* have kept a copy, but since he didn't, retreiving any
messages *from* him *to* the terminated employee is perfectly legal.
As is frequently pointed out on the net, the *sender* has copyright on email!
I'm not a lawyer, but I'd say all you *should* need is permission of
*one* of the parties to retrieve the message. Anything after that is
up to the court. And at the very least, *I* would lock up that backup
tape along with logs and the like to enable you to "prove" that it is
indeed what you claim it to be. Remember, the lawyers on *both* sides
may get interested in this, and I'd hate to have to reply to a court order
with "Sorry, that tape got re-used yesterday."
--
Leonard Erickson leonard@qiclab.uucp
personal: CIS: [70465,203] 70465.203@compuserve.com
business: CIS: [76376,1107] 76376.1107@compuserve.comleonard@qiclab.scn.rain.com (Leonard Erickson) (06/07/91)
vince@bcsaic.UUCP (Vince Skahan) writes: >I also personally believe that snooping around anywhere >for the hell of it just because you have the system privs to >do so is both inappropriate and bordering on unethical. I've had users worried about this. After telling them that I'm going to ignore the slur on my character, I then point out that even if I *was* the sort of person to do that, there's just too much stuff out there. I've had to go searching for "old" config files for some of the shared programs on our LAN. Or worse yet, due to an *immediate* need to free up space (the printer quees were crashing!) I've had to nuke "backup" copies made by some software. Both fairly specific. And they both took *hours*. I figure it would take me *days* to snoop through all the files (4 gigabytes is a *lot* of space, even ignoring the databases) -- Leonard Erickson leonard@qiclab.uucp personal: CIS: [70465,203] 70465.203@compuserve.com business: CIS: [76376,1107] 76376.1107@compuserve.com
rcbi12@muvms3.bitnet (Michael J. McCarthy) (06/07/91)
In article <TG13D3L@dri.com>, braun@dri.com (Kral) writes: > In article <Nk13311w164w@bluemoon.uucp> sbrack@bluemoon.uucp (Steven S. Brack) writes: >> Most employees >> expect that their employer would treat them as human beings, >> not as slaves to be constantly monitored. > > I don't see this as the latter. You seem to feel that if I have a right to > access your files/desk, then I will be constantly monitoring you by doing so. > I say this: any company that has nothing better to do than *monitor* it's > employees is going to fail in the marketplace by the results of its economic > inefficiencies. This does not, however, preclude the search through documents > in the course of conducting proper business. Oh good! I finally get to use my liberal arts degree! The point that the first poster made is still valid. While it is true that any company which frittered away its time monitoring its employees would soon be in Chapter 11, such constant monitoring is not necessary. It is only necessary for the company to convince its employees that it CAN, at any time and without their knowledge, watch their actions to achieve the effects of constant monitoring. The French philosopher and historian Michel Foucault, in his book DISCIPLINE AND PUNISH: THE BIRTH OF THE PRISON explains the prison model called a panopticon (I forget the original architect). The panopticon consisted of a ring of cells surrounding a central guard tower. The cells had glass walls on the outside and the inside of the ring, with the effect that light passing through these walls into the central tower rendered the inmates constantly visible. Conversely, they could not see into the guard tower, so they never knew when they were or were not being observed. Consequently, the inmates behaved as if they were constantly being watched, to the point where actual observation was almost unnecessary. They began to internalize the idea that they were constantly under the watchkeeper's eye, and thus modified their OWN behavier. The inmates became, therefore, their own jailers. For a more modern and personal example, ask yourself why you stop at a red light on a deserted street at 4:00am (assuming you do). It's because even though your eyes tell you that NOONE is there, you worry that maybe, just maybe, behind that billboard, is a police officer waiting to meet his or her ticket quota for the week. In THE AGE OF THE SMART MACHINE: THE FUTURE OF WORK AND POWER, Shoshana Zuboff shows that a computer network can easily create an electronic panopticon. This example, I think, is pertinant here. The company need not constantly monitor its employees; it need only show that it can and occasionally does for the effects of such constant observation to take hold. For this reason, in my opinion, the maitenance of personal privacy for employees is so important. Not only did Zuboff show that such an electronic panopticon can develop, but also that when it does, performance and productivity suffer. A feeling of animosity and distrust arise, and the employees often begin to spend valuable company time on developing ways not to follow but rather to CIRCUMVENT the system. Thus, the company which implements such a plan often witnesses a decrease in overall production. ------------- Mike McCarthy Robert C. Byrd Institute for Advanced Flexible Manufacturing Systems Marshall University, Huntington, West Virginia 25755 RCBI12@Marshall.WVNET.EDU RCBI12@Marshall
braun@dri.com (Kral) (06/08/91)
In article <1991Jun06.152549.17193@socrates.umd.edu> tmurray@socrates.umd.edu (tony murray) writes: >With all the arguments going back and forth about a company's rights >versus the employees right to privacy, it seems to have been forgotten >that the employee in the original example was _given_an_opportunity_ >to purge all his/her personal files. They were given a chance to get >rid of materials they did not want to leave behind for others to see... >If >you are giving someone an opportunity to throw out old personal materials, >isn't it implied that you are not going to go rummaging through the trash >they put in the dumpster? This depends, not on the implication that the employee had was permitted to "remove" personal material from the system, but whether the company ever gave the employee, implicitly or explicitly, the impression that any materials ever kept on the system could be considered "personal" and/or "private". I'm told, by our Humar Resources nee Personnel department that this example is relevant: if the company explicitly states a policy of checking handbags, etc, at the entrance as people come into or out of the building, then it may do so; but if it is ever found to be irregular in its application of that policy - so as to lull employees into forgetting about the policy - then they could be guilty of some sort of invasion of privacy [can you tell I'm not an attorney?]. The same is true of the computer files: if you give people the impression that some files on the system may be considered personal and private, and then you go probing in those files without due cause, you could be in big trouble. Remember, this has been used in very visible court cases, to wit, the Iran-Contra case, where significant information was brought before the court from backup tapes of email between, if I remember correctly, North and Casey. I'm dead sure that privacy issues would have been raised if there were a chance they could be used effectively. -- kral * 408/647-6112 * ...!uunet!drivax!braun * braun@dri.com "Talking trash, touching on truth" -- Micheal Hedges "1-900-I-LUV-YOU"
henry@ADS.COM (Henry Mensch) (06/08/91)
->In article <Nk13311w164w@bluemoon.uucp> sbrack@bluemoon.uucp (Steven S. Brack) writes:
->> Then, if the company wanted to see the manuscipt it lets you use
->> your PC or UNIX account to write, they can? Most employees
->> expect that their employer would treat them as human beings,
->> not as slaves to be constantly monitored. If I sent a document
->> in US Mail to someone, then needed a copy of it, if he wouldn't
->> give me one, then a court order would be my only resort. The
->> situations are fairly analogous.
it's not clear what the purpose of this manuscript is, but they almost
certainly have a right to do this.
if you're writing a personal manuscript, then you may find you are in
a deep spot, since many companies proscribe the use of corporate
facilities for this purpose ("personal gain"). even if this is
permitted, you are foolish if you do (proof you used their facilities
to do the work may entitle them to payment for that use, or
part-ownership in the resulting work).
if you're writing a manuscript for corporate use then they already own
it, so they aren't taking anything that isn't theirs.
--
# Henry Mensch / Advanced Decision Systems / <henry@ads.com>henry@ADS.COM (Henry Mensch) (06/08/91)
70465.203@compuserve.com wrote:
->conca@handel.cs.colostate.edu (michael vincen conca) writes:
-><.... Today,
-><my boss asked if it would be possible to retrieve this employee's E-mail
-><off of backup, find the memo, and print it out in case it was needed as
-><evidence in a possible court case.
->
->I'm not a lawyer, ...
indeed. rather than paying much attention to any of this blather, mr
conca should ask his boss to consult a lawyer before he asks for these
files to be retrieved.
--
# Henry Mensch / Advanced Decision Systems / <henry@ads.com>otto@fsu1.cc.fsu.edu (John Otto) (06/08/91)
In article <1991Jun4.194406.1366@qualcomm.com>, rdippold@cancun.qualcomm.com (Ron Dippold) writes... >In article <1991Jun4.144731.685@forwiss.uni-passau.de> baier@unipas.fmi.uni-passau.de (Joern Baier) writes: >>From the crypt manual page: >>CRYPT(1) USER COMMANDS CRYPT(1) >Crypt makes use of the Data Encryption Standard (DES), an encryption technology >that is supposedly unbreakable without spending nearly infinite amounts of >computer time (although many believe that the National Security Agency >purposely weakend the specifications to the point where they _can_ decode it). My readings at the time indicated that the whole purpose of DES is the same as Biden's - to make sure Big Bro doesn't miss anything. It was intentionally weaker than the then state of the art in encryption.
otto@fsu1.cc.fsu.edu (John Otto) (06/08/91)
In article <1991Jun05.142444.839@heitis1.uucp>, news@heitis1.uucp (News Administrator) writes... >In article <1991May26.004112.15971@ms.uky.edu> sean@ms.uky.edu (Sean Casey) writes: >My wife worked for the Census Bureau. Each day before she left work, for >lunch, to smoke a cigarette, whatever, she had to open her purse to be >searched, and empty her pockets. That makes sense. The Census Bureau doesn' know from privacy.
xanthian@zorch.SF-Bay.ORG (Kent Paul Dolan) (06/09/91)
otto@fsu1.cc.fsu.edu writes: news@heitis1.uucp (News Administrator) writes... >> My wife worked for the Census Bureau. Each day >> before she left work, for lunch, to smoke a >> cigarette, whatever, she had to open her purse to >> be searched, and empty her pockets. > That makes sense. The Census Bureau doesn' know > from privacy. Quite the opposite. Up until last year, when the temptation to implement Big Brother methods apparently overcame good sense, the Census Bureau has been utterly fanatic about protecting the privacy of its RECORDS, not employees, since any hint of scandal would mean no more freely furnished Census Data about all the snoopy questions that they ask with a promise that the answers will remain anonymous. Checking to be sure no one was violating that privacy just made good sense. My brother used to work in a factory that made gold college rings (Jostins); you haven't come close to seeing invasions of privacy until you see the methods employed to keep even the tiniest scrap of gold from adhering to a departing employee even by accident. When you work in a place like that, the inspections are part of the job, and should be factored into the salary. Kent, the man from xanth. <xanthian@Zorch.SF-Bay.ORG> <xanthian@well.sf.ca.us>
josh@happym.WA.COM (Joshua_Putnam) (06/11/91)
In <50318@muvms3.bitnet> rcbi12@muvms3.bitnet (Michael J. McCarthy) writes: >In article <TG13D3L@dri.com>, braun@dri.com (Kral) writes: >> In article <Nk13311w164w@bluemoon.uucp> sbrack@bluemoon.uucp (Steven S. Brack) writes: > >>> Most employees >>> expect that their employer would treat them as human beings, >>> not as slaves to be constantly monitored. >> >> I don't see this as the latter. You seem to feel that if I have a right to >> access your files/desk, then I will be constantly monitoring you by doing so. >> I say this: any company that has nothing better to do than *monitor* it's >> employees is going to fail in the marketplace by the results of its economic >> inefficiencies. This does not, however, preclude the search through documents >> in the course of conducting proper business. > Consequently, the inmates behaved as if they were constantly being >watched, to the point where actual observation was almost unnecessary. They >began to internalize the idea that they were constantly under the watchkeeper's >eye, and thus modified their OWN behavier. The inmates became, therefore, >their own jailers. For a more modern and personal example, ask yourself why >you stop at a red light on a deserted street at 4:00am (assuming you do). It's >because even though your eyes tell you that NOONE is there, you worry that >maybe, just maybe, behind that billboard, is a police officer waiting to meet >his or her ticket quota for the week. Silly me. And here I thought it had to do with old fashioned concepts like "civilized conduct" and "respect for the law" derived from the "consent of the governed" as part of a "democratic system." Personally, the thought that I might get caught just isn't relevant. Maybe I'm out of tough with modern society, but I'm rarely in such a hurry that I'd feel the need to run a red light. (But then, Seattle is known for the sight of pedestrians patiently waiting in the rain, on empty streets, for the "Don't Walk" to change to "Walk.") In a similar vein, I do not expect my employer to monitor me constantly to "force" me to "comply." It simply doesn't make sense. If I didn't like the work, I wouldn't take the job. If I did not want to comply with some policy, and my employer would not change the policy, I would face a straightforward choice between complying in good faith despite my objections and finding another job. Attempting to subvert company policy simply would not present itself as an option. Certainly it is reasonable for an employer to have the right to search my desk for an important document if I were not there when the document was needed. The alternative, having the company grind to a halt for a day or a week until I came back, is silly. Employees should have some common sense, and not take things to work that they would not want their employer to see. The same applies to computers. Absent an ironclad guarantee of privacy, I have no right to assume any files on the company's computer are absolutely inviolable. If regular backups are made and kept, I have no reason to believe they will not be used. Even if the company provides nominally private personal directories to employees, employees should remember that their files may be viewed accidentally by administrators (who should keep quiet about what they see in such cases). Employers should obviously refrain from abusing their rights, but that does not mean they should forswear them altogether. >The company need >not constantly monitor its employees; it need only show that it can and >occasionally does for the effects of such constant observation to take hold. I see, and I hope others would see, a huge difference between "monitoring" employees continuously or randomly for intimidation purposes and retrieving company documents from an employee's desk or computer for legitimate business needs. The arguments against employers' rights all seem to assume an adversarial relationship between employer and employee. Unless justified by a record of abuse of power or bad faith commitments, such an assumption seems counterproductive. If such a history of abuse exists, how do you justify giving the employer the benefits of your labor? -- Joshua_Putnam@happym.wa.com Happy Man Corp. 206/463-9399 x102 4410 SW Pt. Robinson Rd., Vashon Island, WA 98070-7399 fax x108 We publish SOLID VALUE for the intelligent investor. (NextMail Info. free (sample $20): E-mail patty@happym.wa.com. okay too)
josh@happym.WA.COM (Joshua_Putnam) (06/12/91)
In <1991Jun9.073804.1969@zorch.SF-Bay.ORG> xanthian@zorch.SF-Bay.ORG (Kent Paul Dolan) writes: > otto@fsu1.cc.fsu.edu writes: > news@heitis1.uucp (News Administrator) writes... >> That makes sense. The Census Bureau doesn' know >> from privacy. >Quite the opposite. Up until last year, when the >temptation to implement Big Brother methods apparently >overcame good sense, the Census Bureau has been utterly >fanatic about protecting the privacy of its RECORDS, >not employees, since any hint of scandal would mean no >more freely furnished Census Data about all the snoopy >questions that they ask with a promise that the answers >will remain anonymous. Yes and no. The individual responses are kept secret for decades. But the Census has long released local breakdowns detailed enough to be used for zoning enforcement (illegally rented spare bedrooms), building code violations (What do you mean someone on this street doesn't have indoor plumbing? That's illegal -- we'd better condemn the house and make them homeless.), targeting sales campaigns, and finding Japanese Americans who needed to be sent to the Arizona desert for their own protection :-( The Census may be much better than some other government agencies, but it still goes a long way to degrade individual privacy by providing such a detailed starting point for those who do the actual invading. This may account for the trouble the Census had in obtaining freely furnished answers to its snoopy questions this time (such as all the people who wrote in "human" under "Race", and who refused to answer many other questions). In any case, this thread is veering away from the email issue, and probably from these groups in general. -- Joshua_Putnam@happym.wa.com Happy Man Corp. 206/463-9399 x102 4410 SW Pt. Robinson Rd., Vashon Island, WA 98070-7399 fax x108 We publish SOLID VALUE for the intelligent investor. (NextMail Info. free (sample $20): E-mail patty@happym.wa.com. okay too)
tjc@ecs.soton.ac.uk (Tim Chown) (06/12/91)
In <3651@happym.WA.COM> josh@happym.WA.COM (Joshua_Putnam) writes: >Absent an ironclad guarantee of privacy, I have no right to assume any >files on the company's computer are absolutely inviolable. If regular >backups are made and kept, I have no reason to believe they will not >be used. Even if the company provides nominally private personal >directories to employees, employees should remember that their files >may be viewed accidentally by administrators (who should keep quiet >about what they see in such cases). Sometimes the mail system, sendmail in our case, fails due to an error of some sort. It's quite rare but as our postmaster I redirect failed headers to me so I can attempt to prevent similar failures and notify senders/intended recipients of the problem and perhaps the cause. Anyway, as a result I saw a message between two students that was clearly showing them to be cheating in an assigment by exchanging pieces of code. I only saw the subject line, but it was enough. Do you turn a blind eye? Do you let the offenders gain an unfair advantage? It's not at all clear cut. We have correlation software written as the basis as a PhD that checks for collaboration on the structure of code, but when you have the extra "proof" should you root (literally ;-) around further? Tricky. Tim --
braun@dri.com (Kral) (06/12/91)
In article <50318@muvms3.bitnet> rcbi12@muvms3.bitnet (Michael J. McCarthy) makes an excellent point against companies constantly monitoring, or giving the impression that they are monitoring, employee's email. > The French philosopher and historian Michel Foucault, in his book >DISCIPLINE AND PUNISH: THE BIRTH OF THE PRISON explains the prison model >called a panopticon... [which allows the gaurds to see in but the prisoners >cannot see the guards, so never know if/when they are being watched]. > In THE AGE OF THE SMART MACHINE: THE FUTURE OF WORK AND POWER, >Shoshana Zuboff shows that a computer network can easily create an electronic >panopticon... > For this reason, in my opinion, the maitenance of personal privacy for >employees is so important. Not only did Zuboff show that such an electronic >panopticon can develop, but also that when it does, performance and >productivity suffer... Agreed. It is important that the company not even give the impression that mail, etc, will be constantly monitored, or even casually monitored. In fact, I think it is essential that company policy state (as my organizational policy states), that prying into someone else's files or otherwise monitoring data transmission without sufficient cause, is grounds for termination. This is based on ethics as well as economics (I would hope the former more so than the latter). However, a distinction must, I think, be made. Employees must be aware that files kept on company resources (ie, the company computer(s)), are subject to perusal by authorized personnel if and when (and only if and when) it is necessary in the course of business. Michael says: > For this reason, in my opinion, the maitenance of personal privacy for >employees is so important. Yes, absolutely, but not by using company resources. [I might add, that somewhere on my side of this argument, is a phrase that has something to do with "reasonable use" of company resources for personal use, but I admit here that I have not yet made the time to think this through yet. So we try to make the lines of distinction narrower yet, knowing all the while that they are miles across]. -- kral * 408/647-6112 * ...!uunet!drivax!braun * braun@dri.com "Talking trash, touching on truth" -- Micheal Hedges "1-900-I-LUV-YOU"
rickert@mp.cs.niu.edu (Neil Rickert) (06/12/91)
In article <8114@ecs.soton.ac.uk> tjc@ecs.soton.ac.uk (Tim Chown) writes: >error of some sort. It's quite rare but as our postmaster I >redirect failed headers to me so I can attempt to prevent > >Anyway, as a result I saw a message between two students that >was clearly showing them to be cheating in an assigment by exchanging >pieces of code. I only saw the subject line, but it was enough. >Do you turn a blind eye? Do you let the offenders gain an unfair If something like that happens here, I send a message to the author of the message, reminding him of his responsibilities. I otherwise ignore it as information I use. Users of this system are warned that email is not 100% private, and that in particular the Postmaster may see all failed mail. >advantage? It's not at all clear cut. We have correlation software >written as the basis as a PhD that checks for collaboration on the >structure of code, but when you have the extra "proof" should you The real question here, I believe, is not related to email. It is the question of whether collaboration should be considered cheating. This is probably the wrong news group. We are supposedly preparing students to be able to function in a real programming job where the ability to successfully collaborate with colleagues is an essential requirement of the position. -- =*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*= Neil W. Rickert, Computer Science <rickert@cs.niu.edu> Northern Illinois Univ. DeKalb, IL 60115 +1-815-753-6940
david@talgras.UUCP (David Hoopes) (06/13/91)
In article <8114@ecs.soton.ac.uk> tjc@ecs.soton.ac.uk (Tim Chown) writes: > >Sometimes the mail system, sendmail in our case, fails due to an >error of some sort. It's quite rare but as our postmaster I >redirect failed headers to me so I can attempt to prevent >similar failures and notify senders/intended recipients >of the problem and perhaps the cause. > >Anyway, as a result I saw a message between two students that >was clearly showing them to be cheating in an assigment by exchanging >pieces of code. I only saw the subject line, but it was enough. >Do you turn a blind eye? Do you let the offenders gain an unfair >advantage? It's not at all clear cut. We have correlation software I would turn them in to their professors. I would also tell the professors that E-MAIL can be forged so this could be from someone else with an ax to grind. If you worked for company x and while a co-worker was on vacation you went to get something out of his/her desk. Something that you needed to conduct regular bussines. If you found a set of ledgers that indicated that the person was cheating the company or the companys clients would you put the ledgers back and tell them that that wasn't a nice thing to do or would you present the ledger to the company officals and let them deal with the person. As a system admin it isn't your job to snoop through users mail to find out if they are cheating. However, when in the course of doing your duties, ie fixing mail headers, you find something that clearly shows that students are cheating then you should act on it. -- --------------------------------------------------------------------- David Hoopes Tallgrass Technologies Inc. uunet!talgras!david 11100 W 82nd St. Voice: (913) 492-6002 x323 Lenexa, Ks 66214
scotts@qsp.COM (Scott Simpers) (06/14/91)
In article <8114@ecs.soton.ac.uk> tjc@ecs.soton.ac.uk (Tim Chown) writes: >In <3651@happym.WA.COM> josh@happym.WA.COM (Joshua_Putnam) writes: > [...] >Anyway, as a result I saw a message between two students that >was clearly showing them to be cheating in an assigment by exchanging >pieces of code. I only saw the subject line, but it was enough. [...] >root (literally ;-) around further? Tricky. > >Tim >-- No, not tricky. You either tell the students (and all users) ahead of time that their e-mail is not private, or you MIND YOUR OWN BUSINESS. You are the system administrator, not the professor. When you start to say "It's OK to violate someone's privacy if it was accidental", accidents become a lot more common. Scott Simpers Quality Software Products voice: (213)410-0303 5711 W Slauson Avenue Suite 240 fax: (213)410-0124 Culver City, CA 90230 ...uunet!qsp!scotts
tjc@ecs.soton.ac.uk (Tim Chown) (06/14/91)
In <1991Jun12.155230.17992@mp.cs.niu.edu> rickert@mp.cs.niu.edu (Neil Rickert) writes: > If something like that happens here, I send a message to the author of the >message, reminding him of his responsibilities. I otherwise ignore it as >information I use. > Users of this system are warned that email is not 100% private, and that >in particular the Postmaster may see all failed mail. I have had a few replies on this, the main feeling being that, as you say, users should be made aware that e-mail is not secure and that anything confidential should not be sent without forethought. They should also be aware that forgeries are possible and that in some cases messages will bounce and in a few very rare cases mail may be lost. As for the students, the feeling was that I should mail them to let them know I'd spotted the message (because it had failed) but that I shouldn't mail their tutors; the "warning" should suffice. Of course, they may well have gone off and exchnaged listings on paper later ... > The real question here, I believe, is not related to email. It is the >question of whether collaboration should be considered cheating. This is >probably the wrong news group. We are supposedly preparing students to be >able to function in a real programming job where the ability to successfully >collaborate with colleagues is an essential requirement of the position. In most individual courseworks our students are allowed to "talk" about the assignment, but not to exchange designs, formal specs, listings or code fragments. We have group projects where collaboration is a must! Tim --
chooper@cc.curtin.edu.au (Todd Hooper) (06/14/91)
In article <8114@ecs.soton.ac.uk>, tjc@ecs.soton.ac.uk (Tim Chown) writes: > Anyway, as a result I saw a message between two students that > was clearly showing them to be cheating in an assigment by exchanging > pieces of code. I only saw the subject line, but it was enough. > Do you turn a blind eye? Do you let the offenders gain an unfair > advantage? It's not at all clear cut. We have correlation software > written as the basis as a PhD that checks for collaboration on the > structure of code, but when you have the extra "proof" should you > root (literally ;-) around further? Tricky. Personally, I totally ignore the 'subject' header of bounced mail. In this case, I would have ignored it as well. It is the job of academic staff to uncover plagiarism - not mine. I think a consistent policy of enforcing privacy is the best defense. If it is known that you might read mail, or interpret the contents in some way (even if this only involves looking at the subject line) then you may leave yourself open to more problems (e.g. why didn't you stop this hacker mailing /etc/passwd to someone?). Most mailers have the 'headers-only' facility, when bouncing mail to the postmaster. This should really be a default on mailers, since I can't think of a single case where I have needed to look at the body of a message. I can't see how you could be alerted to the contents by the subject - what sort of student would be dumb enough to put a subject like 'Here is a copy of my assignment...' ;-) -- Todd Hooper (Postmaster) Computing Centre Curtin University of Technology Western Australia Internet : hooper_ta@cc.curtin.edu.au Phone : +61 9 351 7467 (24 hour messaging system) Fax +61 9 351 2673
braun@dri.com (Kral) (06/17/91)
In article <1991Jun14.153835.8709@cc.curtin.edu.au> chooper@cc.curtin.edu.au (Todd Hooper) writes: > >Personally, I totally ignore the 'subject' header of bounced mail. In this >case, I would have ignored it as well. It is the job of academic staff to >uncover plagiarism - not mine. How is this different from: "It is the job of the police to deal with robberies, not mine (so I won't report this obvious burglary I'm seeing to the police)" "It is the job of the police to deal with rape crimes (etc)". >I think a consistent policy of enforcing privacy >is the best defense. If it is known that you might read mail, or interpret the >contents in some way (even if this only involves looking at the subject line) >then you may leave yourself open to more problems (e.g. why didn't you stop >this hacker mailing /etc/passwd to someone?). This is easy to explain in economic terms: does the administration wish to pay for someone to spend all day long looking into other peoples files and monitoring all email? Explain it to them like that, and they will have to agree that it is an unreasonable expectation. -- kral * 408/647-6112 * ...!uunet!drivax!braun * braun@dri.com "Talking trash, touching on truth" -- Micheal Hedges "1-900-I-LUV-YOU"
chooper@cc.curtin.edu.au (Todd Hooper) (06/20/91)
In article <DXG4ZT@dri.com>, braun@dri.com (Kral) writes: > In article <1991Jun14.153835.8709@cc.curtin.edu.au> chooper@cc.curtin.edu.au (Todd Hooper) writes: >> >>Personally, I totally ignore the 'subject' header of bounced mail. In this >>case, I would have ignored it as well. It is the job of academic staff to >>uncover plagiarism - not mine. > > How is this different from: > > "It is the job of the police to deal with robberies, not mine (so > I won't report this obvious burglary I'm seeing to the police)" > > "It is the job of the police to deal with rape crimes (etc)". Regardless of this criticism (and Karl's comments along similar lines) I still stand by my original statement. Just because the mail message in question has a subject header of 'Assignment 1 source code' doesn't give me any more right to delve into the contents than if the subject header said 'Saucy details of my weekend holiday'. By _assuming_ that the mail must contain some assignment source code, you are simply justifying an invasion of privacy that may be totally unwarranted. What if you started reading the message only to discover that the subject header was a joke? Do you simply 'unread' what you have read? Also, the actions you note above are fairly serious crimes. I wouldn't have any hesitiation reporting serious crimes to the police. On the other hand, a report of plagiarism coming from a systems administrator could literally ruin a students academic career, with only a single item of circumstantial evidence. >>I think a consistent policy of enforcing privacy >>is the best defense. If it is known that you might read mail, or interpret the >>contents in some way (even if this only involves looking at the subject line) >>then you may leave yourself open to more problems (e.g. why didn't you stop >>this hacker mailing /etc/passwd to someone?). > > This is easy to explain in economic terms: does the administration wish to pay > for someone to spend all day long looking into other peoples files and > monitoring all email? Explain it to them like that, and they will have to > agree that it is an unreasonable expectation. Exactly. However, academic staff are _paid_ to detect plagiarism as part of the assesment of student work. So why should I violate ethical principles, considering that the University has already taken action to stop plagiarism? Todd
peter@ficc.ferranti.com (Peter da Silva) (06/21/91)
In article <DXG4ZT@dri.com> braun@dri.com (Kral) writes: > In article <1991Jun14.153835.8709@cc.curtin.edu.au> chooper@cc.curtin.edu.au (Todd Hooper) writes: > >Personally, I totally ignore the 'subject' header of bounced mail. In this > >case, I would have ignored it as well. It is the job of academic staff to > >uncover plagiarism - not mine. > How is this different from: > "It is the job of the police to deal with robberies, not mine (so > I won't report this obvious burglary I'm seeing to the police)" > "It is the job of the police to deal with rape crimes (etc)". You find evidence of *that* sort of stuff, that's one thing. But plagiarism by a student hurts no-one but the student who misbehaves. Do you report someone to the police for driving without a seatbelt on? -- Peter da Silva; Ferranti International Controls Corporation; +1 713 274 5180; Sugar Land, TX 77487-5012; `-_-' "Have you hugged your wolf, today?"
mike@bria.UUCP (mike.stefanik) (06/22/91)
In an article, braun@dri.com (Kral) writes: |In an article, chooper@cc.curtin.edu.au (Todd Hooper) writes: |> |>Personally, I totally ignore the 'subject' header of bounced mail. In this |>case, I would have ignored it as well. It is the job of academic staff to |>uncover plagiarism - not mine. | |How is this different from: | | "It is the job of the police to deal with robberies, not mine (so | I won't report this obvious burglary I'm seeing to the police)" | | "It is the job of the police to deal with rape crimes (etc)". It is all a matter of degree... in my book, a burglary or rape is something that is a) an act against society at large, b) entails substantial bodily threat to one or more persons. I wouldn't tend to lump a cheating freshman in with the above catagories. IMHO, reading someone elses mail is unethical, tasteless and vulgar. Period. The simple fact that the mail is electronic rather than written on paper is irrelevant. The problem is not with the medium -- it is with the ease of access to the information on the medium by "administrators". Of course, it is easily within the power of developers to write a secure mail system, whereby only the bona fide recipient can read the mail ... -- Mike Stefanik, MGI Inc., Los Angeles -- Opinions stated are never realistic! "To sin by silence when they should protest makes cowards out of men." -Lincoln
steve@sherlock.mmid.ualberta.ca (Stephen Samuel) (06/28/91)
In article <+J1CPAC@xds13.ferranti.com> peter@ficc.ferranti.com (Peter da Silva) writes: >In article <DXG4ZT@dri.com> braun@dri.com (Kral) writes: >> In article <1991Jun14.153835.8709@cc.curtin.edu.au> chooper@cc.curtin.edu.au (Todd Hooper) writes: >> >case, I would have ignored it as well. It is the job of academic staff to >> >uncover plagiarism - not mine. >> How is this different from: >> "It is the job of the police to deal with rape crimes (etc)". >You find evidence of *that* sort of stuff, that's one thing. But plagiarism >by a student hurts no-one but the student who misbehaves. Do you report >someone to the police for driving without a seatbelt on? If I look thru somebody's window as I pass on the street and see a crime in action, I'm not going to let the fact that it's taking place in a normally private location stop me from responding/reporting things. In this case, it looks like the culprits are using academic equipment to commit an offence that could hurt the reputation of your school. Granted -- I wouldn't go snooping around in other people's mail for proof of academic disonesty, but if a hot potatoe lands in my lap, I'll bloody well do something about it. On the other side of the coin: If academic staff saw signs of a security breach, or some other not-so obvious - but nontheless serious system problem, wouldn't YOU like them to exclaim "Who cares.. That's for the sysadmins to look for."? -- Stephen samuel !alberta!samuels or userzxcv@ualtamts.bitnet Do for others as you'd like them to do.... steve@mycroft.mmid.ualberta.ca Don't be nice -- be compassionate. Compassion is what nice tries to look like.