Posted by mikeb on May 21, 2007
Is there really such a “beast” allowed in the work place any longer? Is privacy something you only get at home locked in a closet now a days?
Today I ran across a post in a forum that I felt obliged to reply to in hopes of helping a Network Administrator out with a bosses demand. Herein I will copy and paste the post as well as link back to it and my profile on the site in case there is someone out there that would like to read more of my “drivel” as my ex-wife would likely call it. :p
My Profile on www.neowin.net forums: http://www.neowin.net/forum/index.php?showuser=153115
“I would have to say there was one thing I didn’t see anyone of you state in this email. As a consultant and IT manager I’ve had to deal with this in the past and have spoken with several peers. It is common to hear this type of request coming from a company looking for either a) to much control or b) paranoid (be it legal or personal reasons) and c) that do not have a clear understanding of the law and recent court standings.
This boils down to a privacy issue. The information, as you have found through this post, is readily available to anyone with administrative access to the systems in question. Be it a file, data table, email, or many other items; this is the point of Administrative Access.
Here is something to think about, please keep in mind it is only from the Federal Perspective and does not include potential local statutes you may have to deal with:
“The Electronic Communications Privacy Act (ECPA) (18 U.S.C. §§ 2510-20; 2701-2711), is the only federal statute relevant to claims of workplace invasions of privacy by electronic means. The ECPA prohibits (1) unauthorized and intentional “interception” of wire, oral, and electronic communications during the transmission phase, and (2) unauthorized “accessing” of electronically stored wire or electronic communications.
For purposes of interpreting the Act, it is important to note that an e-mail is an “electronic communication” as that phrase is defined in § 2510. In the specific context of e-mails, it is also important to determine whether an employer “intercepted” the e-mail while it was being transmitted, or whether he/she “accessed” it minutes, days, or weeks after it was stored in an employee’s computer. This distinction is important because different penalties apply:
• Section 2701 prohibits the unauthorized access of an e-mail that is stored in a computer. A violation of § 2701 subjects the violator to a fine of up to $10,000 and/or a sentence of up to one year in prison.
• Section 2511, on the other hand, prohibits the interception of an e-mail while the e-mail is being transmitted, and subjects the violator to penalties of up to a $10,000 fine and/or up to five years in prison.
The ECPA contains two exceptions that are pertinent to e-mail communications. First, under the system provider exception, the prohibitions on the interception, disclosure, or use of electronic communications do not apply to conduct by an officer, employee, or agent of a provider of electronic communication services if the interception occurs during an activity necessary to the rendition of the service or to the protection of the rights or property of the provider.”
For example, a Massachusetts court found that reviewing employees’ mail using a supervisor’s password violated state law against “unreasonable, substantial or serious” interference with privacy (Restuccia vs. Burk Technology).
Please note here that I only focused on email. The ECPA is far reaching as well as the state and local statutes. Some states even have vague ties in their state constitutional amendments. You’d have to check on your local and state laws to be sure.
In the end it comes down to having a sound monitoring policy in place. One in which everything is spelled out, is signed by the employee and counter-signed by the IT department and HR. Remember, even though the Federal laws are currently very vague on the privacy laws they, as well as state and local courts have found in favor of the employee in these situations on many more occasions than businesses have won.
My two cents anyhow. “
There is much more research an individual and corporation needs to do to understand these laws but hopefully I’ve helped to start you on the right road. Please note that this is an “As Is” posting and is not meant nor intended as legal advise. I highly recommend seeking legal counsel in matters such as these. Boiler plate templates are usually not enough to cover you in legal matters such as these.
Please note: The following references and thoughts for the above caption(s) in the forum come from the ECPA, ABA (American Bar Association), Network Computing Article, CRN, and multiple talks with peers and previous questions and posts in the past several years.