Upload
suzan-porter
View
218
Download
2
Embed Size (px)
Citation preview
The Business & Technologyof Email Surveillance
Andrew Schulman
Workplace Surveillance Project
Privacy Foundation, UShttp://www.undoc.com
Sydney, June 28, 2001
Demo:WinWhatWhere Investigator
http://www.winwhatwhere.com
http://www.undoc.com
How much email surveillance? Freehills, Feb. 2000: “Email content is
periodically monitored by 76% of [companies], mostly for systems maintenance and trouble-shooting purposes or where email abuse is suspected. Only 5% monitor emails on a routine basis. 19% do not monitor.”
CEOE, 2001: 15% subject to covert surveillance (from PriceWaterhouse video figure?)
http://www.undoc.com
How much email surveillance? Amer. Mgmt. Assoc., April 2001: 47% of
“large” US companies store and review email messages, compared with 15% in 1997.
"Most respondent firms carry on surveillance practices on an occasional basis in the manner of spot checks rather than constantly or on a regular routine."
http://www.undoc.com
The email surveillance bizBaltimore Technologies (BALT):
MIMEsweeper (10.5 million “seats” worldwide)
Tumbleweed (TMWD): Messaging Mgmt. System (MMS; $13M = 2.5 million seats?)
Elron (ELRN): Message Inspector (1-2 million seats?)
http://www.undoc.com
Email surveillance biz, continued
Symantec (SYMC): Mail-Gear (1-2 million) EmUTech, Dec. 2000: 45,000 users (NSW
Workcover, Aust. Human Rights Comm.) SurfControl (SRF.L): Email Filter
(1 million; City of Melbourne). Claims CIAC market penetrated less than 1%
WinWhatWhere: about 10,000 copies sold? MailMarshal (NZ)
http://www.undoc.com
Email surveillance biz, continued
10.5 + 2.5 + 2 + 2 + 1 + 1 = 18 The work email of roughly 18 million
employees worldwide is under constant surveillance by employers
US: 42M work access; 34M “active” (Nielsen/NetRatings, June 2001)
N. America about 45% of global email seats (Ferris Research, 2000)
34-42M ÷ .45 = 75-95M with work email 18-24% under email surveillance
http://www.undoc.com
What’s it mean for Australia?Australia: 30% of 16+ have internet
access at work (Nielsen/NetRatings, Q1 2001)
Total online workforce of about 3-4M?18-24% under email surveillanceBetween 500,000 and 1 million
Australian employees have their work email under constant surveillance by their employer.
http://www.undoc.com
Why monitor employee email? Eliminate spam, email viruses Regulatory requirements (US SEC, NASD) Vicarious liability for coworker harassment,
“bullying” vs. “bullying”? Bandwidth concerns (large attachments) Slacking off (bludging) Protect trade secrets Copyright protection (pirated software) “Quality assurance” and training
http://www.undoc.com
Some issues Constant vs. spot check vs. “blind monitoring” Blocking/filtering vs. RECORDING Send vs. receive Internal vs. external Header vs. content Keywords, phrases, context Log file retention policies Telecommuters? (Work email at home) Phone, voice mail (VoIP, call centers) Multinationals
http://www.undoc.com
Email surveillance case law Smyth v. Pillsbury (1996; no reasonable
expectation of privacy in company e-mail, even when employer had promised confidentiality; but email was to supervisor)
Contrast Watkins v. Berry (1983; having determined a call is personal, employer should stop listening)
McLaren v. Microsoft (1999; inbox is not a locker)
http://www.undoc.com
Email surveillance case lawcontinued
Contrast AMACSU v. Ansett (using company email for union bulletin)
In US, contrast e.g.Timekeeping v. Leinweber (1997; NLRB case involving non-union criticism of company)
Union and company-criticism cases are better than porno cases!
http://www.undoc.com
Email as evidence Iran-Contra hearings (Oliver North) Clinton/Lewinsky (“deleted” emails) Microsoft antitrust cases (US v. Microsoft;
Caldera v. Microsoft) "The documents were never intended to meet
the eyes of anyone but the officers themselves, and were, as it were, cinematographic photographs of their purposes at the time they were written” (J. Learned Hand, US v. Corn Products, 1916)
http://www.undoc.com
Email as evidence:Monitoring a risk to employers “The degree of surveillance promoted … may
provide a wealth of information, but it may also prove to be a two edged sword. The data collected in such exercises becomes yet another source of material for discovery in employee litigation – especially in sex discrimination and harassment cases” (Privacy Law and Policy Reporter, Dec. 2000)
“Guerrilla Raids on the Honey Pot”
http://www.undoc.com
Email logs as “public records”Freedom of Information Act (FOIA)
requests Indiana cases
http://www.undoc.com
Email firings & suspensionsCentrelink, May 2000 (6 in Adelaide;
Australian Public Services Act)NSW Police, Dec. 2000 (5 out of 460;
including “violent” images)See “Job Loss Monitor” at
www.privacyfoundation.org/workplace
http://www.undoc.com
Self-protection?Web-based email: Hotmail, YahooPGPSafeWebBut does DIY really work?
Sample report: eSniff
http://www.esniff.com
Demo: Fatline(Web Surveillance)
http://www.fatline.com
http://www.undoc.com
Legislation Australian “employment records” exemption US proposals Not just “notice,” but ACCESS “Informed consent” requires information Exclusionary rule? Proportionality (“fishing expeditions”) Priv. Comm. Guidelines, March 2000
http://www.undoc.com
“Balance”?On any specific issue, privacy will (and
perhaps should) almost always loseBut if such individual results are added
up, the result would be no privacyHard choices more likely to be made by
courts than by legislators?