The Business & Technologyof Email Surveillance

Andrew Schulman

Workplace Surveillance Project

Privacy Foundation, UShttp://www.undoc.com

Sydney, June 28, 2001

Demo:WinWhatWhere Investigator

http://www.winwhatwhere.com

http://www.undoc.com

How much email surveillance? Freehills, Feb. 2000: “Email content is

periodically monitored by 76% of [companies], mostly for systems maintenance and trouble-shooting purposes or where email abuse is suspected. Only 5% monitor emails on a routine basis. 19% do not monitor.”

CEOE, 2001: 15% subject to covert surveillance (from PriceWaterhouse video figure?)

http://www.undoc.com

How much email surveillance? Amer. Mgmt. Assoc., April 2001: 47% of

“large” US companies store and review email messages, compared with 15% in 1997.

"Most respondent firms carry on surveillance practices on an occasional basis in the manner of spot checks rather than constantly or on a regular routine."

http://www.undoc.com

The email surveillance bizBaltimore Technologies (BALT):

MIMEsweeper (10.5 million “seats” worldwide)

Tumbleweed (TMWD): Messaging Mgmt. System (MMS; $13M = 2.5 million seats?)

Elron (ELRN): Message Inspector (1-2 million seats?)

http://www.undoc.com

Email surveillance biz, continued

Symantec (SYMC): Mail-Gear (1-2 million) EmUTech, Dec. 2000: 45,000 users (NSW

Workcover, Aust. Human Rights Comm.) SurfControl (SRF.L): Email Filter

(1 million; City of Melbourne). Claims CIAC market penetrated less than 1%

WinWhatWhere: about 10,000 copies sold? MailMarshal (NZ)

http://www.undoc.com

Email surveillance biz, continued

10.5 + 2.5 + 2 + 2 + 1 + 1 = 18 The work email of roughly 18 million

employees worldwide is under constant surveillance by employers

US: 42M work access; 34M “active” (Nielsen/NetRatings, June 2001)

N. America about 45% of global email seats (Ferris Research, 2000)

34-42M ÷ .45 = 75-95M with work email 18-24% under email surveillance

http://www.undoc.com

What’s it mean for Australia?Australia: 30% of 16+ have internet

access at work (Nielsen/NetRatings, Q1 2001)

Total online workforce of about 3-4M?18-24% under email surveillanceBetween 500,000 and 1 million

Australian employees have their work email under constant surveillance by their employer.

http://www.undoc.com

Why monitor employee email? Eliminate spam, email viruses Regulatory requirements (US SEC, NASD) Vicarious liability for coworker harassment,

“bullying” vs. “bullying”? Bandwidth concerns (large attachments) Slacking off (bludging) Protect trade secrets Copyright protection (pirated software) “Quality assurance” and training

http://www.undoc.com

Some issues Constant vs. spot check vs. “blind monitoring” Blocking/filtering vs. RECORDING Send vs. receive Internal vs. external Header vs. content Keywords, phrases, context Log file retention policies Telecommuters? (Work email at home) Phone, voice mail (VoIP, call centers) Multinationals

http://www.undoc.com

Email surveillance case law Smyth v. Pillsbury (1996; no reasonable

expectation of privacy in company e-mail, even when employer had promised confidentiality; but email was to supervisor)

Contrast Watkins v. Berry (1983; having determined a call is personal, employer should stop listening)

McLaren v. Microsoft (1999; inbox is not a locker)

http://www.undoc.com

Email surveillance case lawcontinued

Contrast AMACSU v. Ansett (using company email for union bulletin)

In US, contrast e.g.Timekeeping v. Leinweber (1997; NLRB case involving non-union criticism of company)

Union and company-criticism cases are better than porno cases!

http://www.undoc.com

Email as evidence Iran-Contra hearings (Oliver North) Clinton/Lewinsky (“deleted” emails) Microsoft antitrust cases (US v. Microsoft;

Caldera v. Microsoft) "The documents were never intended to meet

the eyes of anyone but the officers themselves, and were, as it were, cinematographic photographs of their purposes at the time they were written” (J. Learned Hand, US v. Corn Products, 1916)

http://www.undoc.com

Email as evidence:Monitoring a risk to employers “The degree of surveillance promoted … may

provide a wealth of information, but it may also prove to be a two edged sword. The data collected in such exercises becomes yet another source of material for discovery in employee litigation – especially in sex discrimination and harassment cases” (Privacy Law and Policy Reporter, Dec. 2000)

“Guerrilla Raids on the Honey Pot”

http://www.undoc.com

Email logs as “public records”Freedom of Information Act (FOIA)

requests Indiana cases

http://www.undoc.com

Email firings & suspensionsCentrelink, May 2000 (6 in Adelaide;

Australian Public Services Act)NSW Police, Dec. 2000 (5 out of 460;

including “violent” images)See “Job Loss Monitor” at

www.privacyfoundation.org/workplace

http://www.undoc.com

Self-protection?Web-based email: Hotmail, YahooPGPSafeWebBut does DIY really work?

Sample report: eSniff

http://www.esniff.com

Demo: Fatline(Web Surveillance)

http://www.fatline.com

http://www.undoc.com

Legislation Australian “employment records” exemption US proposals Not just “notice,” but ACCESS “Informed consent” requires information Exclusionary rule? Proportionality (“fishing expeditions”) Priv. Comm. Guidelines, March 2000

http://www.undoc.com

“Balance”?On any specific issue, privacy will (and

perhaps should) almost always loseBut if such individual results are added

up, the result would be no privacyHard choices more likely to be made by

courts than by legislators?