Date: Wed, 04 Aug 93 14:31:51 EST Errors-To: Comp-privacy Error Handler From: Computer Privacy Digest Moderator To: Comp-privacy@PICA.ARMY.MIL Subject: Computer Privacy Digest V3#009 Computer Privacy Digest Wed, 04 Aug 93 Volume 3 : Issue: 009 Today's Topics: Moderator: Dennis G. Rears Email Policy Disparate policies (was "Re: First Person broadcast on privacy") Re: First Person broadcast on privacy Re: First Person broadcast on privacy Re: First Person broadcast on privacy Re: First Person broadcast on privacy Mail, E-Mail and Telephone Privacy The Computer Privacy Digest is a forum for discussion on the effect of technology on privacy. The digest is moderated and gatewayed into the USENET newsgroup comp.society.privacy (Moderated). Submissions should be sent to comp-privacy@pica.army.mil and administrative requests to comp-privacy-request@pica.army.mil. Back issues are available via anonymous ftp on ftp.pica.army.mil [129.139.160.133]. ---------------------------------------------------------------------- Date: 03 Aug 93 17:57:14 EDT From: William Hugh Murray <75126.1722@compuserve.com> Subject: Email Policy Much of the discussion here suggests that if management reads employee email, they are intrusive and capricious. It should be noted that management has a positive responsibility to govern the use of all corporate resources. Failure to do so will leave them, at best, open to charges of imprudence; at worst it will leave them civilly or even criminally liable for that failure. The following guidance prepared for my clients may be of interest. Copyright 1993, William Hugh Murray Subject: Email Policy Principles: 1. Every institution should have a policy dealing with the use of internal communications by employees. 2. Policy should treat all communications including telelphone, internal mail, voice mail, electronic mail, and any other. 3. Policy should treat all internal communications in a similar manner. 4. Policy should include the employee's responsibility to conserve the institution's resources, a reference to the employee's responsibility for security of data, and other responsibilities on which management relies. 5. Policy should speak to the expectations of confidentiality that the employee should have. 7. Policy should always reserve some right for management to look at the contents of the communications in order to preserve necessary options and to protect management when some manager or management surrogate acts at or beyond the limits of his authority. 6. Special consideration should be given to any interface between internal communications and external and the responsibilities and expectations that arise there. Discussion: The absence of a policy is an invitation to misunderstanding and problems. Management should clearly spell out its expectations and intentions. Misunderstandings between management and employees have already resulted in contentious and expensive law suits. Email is already the dominant form of communications in some organizations. It is used in many. As use increases, so does the pressure for use. This is a novel form of communications. While management may think that everyone understands its intent and that everyone understands the same, anecdotal evidence suggests otherwise. The policy should treat all internal communications equitably and consistently. Employees can be expected to project expectations learned from telephone and internal mail on to vmail and email. Differences may cause confusion or encourage one mode at the expense of an otherwise more efficient one. Exceptions or differences should be highlighted. Communications add greatly to the effectiveness of any institution. They are also a major cost of doing business in the modern world. Like other cost of business, communication cost has a fixed component that is relatively insensitive to changes in load or use, and a variable component that varies directly with the number and length of messages. Because the relation between fixed and variable cost are different for every business, and because the use of communications affects each institution's objectives differently, each institution has a different objective of how to regulate the use. Institutions with high fixed cost, low variable cost, and a desire to encourage communications use in general, may be prepared to tolerate some employee use of internal communication, in part to encourage all use. Those with low fixed cost, high variable cost, and low dependence on communications, may wish to discourage all employee use. The policy should clearly express the employee's responsibility to conserve the resources of the institution. It should spell out the conditions under which management is prepared to tolerate employee use or mixed business and employee use. For example, "business communications facilities are to be used only for business purposes. In emergencies exceptions may be individually approved by managers." Alternatively, "business communication facilities are to used only for management approved purposes. Personal use should normally be restricted to emergencies or work/family arrangements. Finally, "While intended for business use, reasonable and limited use of business communications facilities is permitted as an accommodation of the work place. Employees are expected to reimburse any toll charges." All three of these are reasonable and defensible policies, but will result in very different levels of personal use. Likewise, the policy should speak to the employee's responsibility to protect the resources from conversion. For example, "Employees are expected to protect and reserve to their own use all codes, account numbers, credit cards, passwords, tokens, keys, and other mechanisms provided to facilitate their use of business communications facilities. All compromises should be reported on a timely basis." The policy should communicate to the employees what expectation of privacy or confidentiality they may have. For example, "In order to meet its responsibilities to its constituents, management routinely examines the contents of all communications on its facilities." Alternatively, "Management reserves the right to look at the content of all messages on its facilities. Employees are encouraged to use alternative channels for confidential messages." Finally, "Management respects the rights of employees to a reasonable expection of confidentiality in their use of communications. Management will look at the content of messages only in emergencies and will treat the contents of all such messages as privileged communications between the originator and the addressees." When otherwise permitted by policy, employees may use business communications facilities for otherwise privileged communications. For example, an employee may drop a sealed white envelope with a postage stamp, addressed to an outsider, into the internal mail with the expectation that the mailroom will deliver it to the post office. If the policy permits and if the mailroom will routinely do this, then the mailroom may have assumed the responsiblity to treat this envelope as first class mail, and management may have given up the right to look at the contents. While it has not yet been litigated, managment should be sensitive to the fact that providing a gateway to an external email system and permitting employees to use the gateway, may make management party to a contractual or other obligation to respect the confidentiality of the message, even while it is on the internal system. It may be useful for policy to speak to these issues. ------------------------------ From: Todd Jonz Subject: Disparate policies (was "Re: First Person broadcast on privacy") Date: 3 Aug 1993 22:30:56 GMT Organization: Sun Microsystems, Inc. In an earlier posting about personal privacy and corporate voice and data networks I wrote: > I find it difficult to apply a common standard to seemingly similar > situations....It seems to me we need a single, consistent policy > that covers all these bases. I was somewhat surprised that all of the responses to this posting supported the idea that employers have every right to snoop on their employyees in just about any way they see fit. (I happen to agree with this point of view, although, like all of us, I certainly hope that they exercise this right judiciously.) Actually, I had expected to see at least a few slightly more libertarian views expressed on the topic, as is the case more often than not on some of the newsgroups I frequent. I guess I just haven't been following this one long enough to have a clear picture of its demographics. ;-) gatech!dixie.com!jgd@uunet.uu.net writes: > Maybe it is because I've worked in government classified facilities > where it is always assumed that ANYTHING can be and usually is > monitored, but I just don't see the beef....IF working for a company > that monitors its communications facilities bothers you, either make > a case to the company to change the policy or find another > employer. There's no beef. If I somehow left the impression that Sun is snooping on me and that I'm angry about it, please let me dispel that idea right now. I was merely indulging in a bit of public speculation on a topic that interests me. Sun does not, to the best of my knowledge, perform any routine monitoring that I would personally consider to be unsavory. ptownson@delta.eecs.nwu.edu writes: > 'Single and consistent policies' tend to work to the employer's > favor, not yours. If you tell your employer you don't think he is > being consistent by examining your email but not listening to your > phone calls, your employer might well decide to start listening to > phone calls as well in order to provide that consistency which is so > important to you. I agree that "single and consistent policies" tend to be arbitrarily rigid and generally inflexible. But I think this response misses my point. If I were in a situation where some controversy arose over my use of, say, an e-mail facility, I would inquire as to whether the same policies are applied to the telephone facilities, and if they weren't I would challenge the rule makers to justify the differences. This might work for me or against me depending on the specifics of the situation, but in any event it would draw a lot of public attention to any discrepancies, which I doubt would thrill my hypothetical employer. In my experience it's very likely that companies don't really have formal, published policies on a lot of these issues. I've participated in several software development projects which involved access to company networks and systems by non-employees, and when security questions were raised by the development team, we discovered somewhat to our surprise that no appropriate policies existed at all. I think that when it comes to matters as delicate as privacy, a formal, published policy is extremely important. Whether I personally like or agree with the policy is not important; that a formal policy exist is, I believe, essential. After all, how will I know if my "rights" have been violated if no one has ever bothered to define exactly what rights I have, if any? IMHO this is a case in which making up the lyrics while you sing the song is thoroughly unacceptable. Finally, in an article from an unrelated thread, 0004854540@mcimail.com refers to a situation in which two disparate policies are applied to essentially equivalent technologies: > Cellular phones have been monitored for a long time because they > operate in readily-tunable frequencies. This is now becoming an > issue because it has become public knowledge- the result is pressure > on cellular providers to go with digital cellular to help keep calls > private. In light of recent rules changes, radios that are capable of or "easily" modified to scan cellular telephone frequencies may no longer be sold in the U.S. These rules, as well as the Electronic Communications Privacy Act (which essentially makes it illegal for you and me to listen to someone else's cellular telehone converstaion and then discuss it idly over lunch) were pushed through the Congress by a very powerful and well-funded cellular telephone lobby in an attempt to impart what I consider a completely false sense of privacy to cellular telephone users. Contrast this with the fact that when police have used recordings of cordless telephone conversations as evidence in criminal proceedings, and defense attorneys have argued that their clients' right to privacy has been violated, judges have repeatedly held that cordless telephones operate on the "public air waves", and that their users should have no reasonable expectation of privacy and ruled the evidence to be admissible. What's the difference between a cordless telephone and a cellular telephone? Certainly none that is significant from a technical perspective. Can anyone propose a scenario justifying why the rules about eversdropping on cellular and cordless telephone conversations by the general public should be regulated differently? I sure can't.... [Moderator's Note: The only thing I can think of is that one eavesdrops on cordless phone rather easily. Every now and then I about to make a call and I start hearing someone's converstation. ._dennis ] -- Todd ------------------------------ Subject: Re: First Person broadcast on privacy From: "Roy M. Silvernail" Date: Tue, 3 Aug 1993 18:29:17 CST Organization: The Villa CyberSpace, executive headquarters In comp.society.privacy, 0004854540@mcimail.com writes: > Would that this were true. In fact what is happening is that the cellular > providers are putting pressure on Governmental agencies to ban receivers > capable of picking up cellular phone calls, or to make their use illegal. I'm not sure that was the cellular providers' idea. More of a now typical legislative knee-jerk. > What's worse is that the introduction of digital cellular is being delayed > because the encryption provided was *too* good for the Government's liking. As has been discussed on the TELECOM Digest, cellular providers have to do _something_ soon simply to stem the tremendous fraud rate. The present analog system, with in-band signalling, is not even slightly secure. The cellphone's Electronic Serial Number (the magic number that represents this one phone to the network) is sent in the clear with every call setup. Sure makes shoulder surfing easier. ;-) -- Roy M. Silvernail -- roy@sendai.cybrspc.mn.org will do just fine, thanks. perl -e '$x = 1/20; print "Just my \$$x! (adjusted for inflation)\n"' "Does that not fit in with your plans?" -- Mr Wiggen, of Ironside and Malone (Monty Python) ------------------------------ Date: Wed, 4 Aug 93 03:38 GMT From: Christopher Zguris <0004854540@mcimail.com> Subject: Re: First Person broadcast on privacy In COMPUTER PRIVACY V3#008 hugh_davies.wgc1@rx.xerox.com writes: >>> Would that this were true. In fact what is happening is that the cellular providers are putting pressure on Governmental agencies to ban receivers capable of picking up cellular phone calls, or to make their use illegal. What's worse is that the introduction of digital cellular is being delayed because the encryption provided was *too* good for the Government's liking. <<< Granted, the cellular carriers are putting up a smoke screen with the ban on receivers as a way to cover their backsides cheaply. But now that I think about it the wider publication about cellular fraud and cloning adds further pressure towards digital. I just read somewhere that the switch to digital is closer than it was and is only now hindered by "technical issues / differences". But the bottom line is the pressure is there and I don't believe the cellular providers can dodge criticism for the poor security inherent in their current system. As far as encryption, I didn't realize digital cellular necessarily meant encryption (I may very well be dead wrong here, I'm not that familiar with digital cellular)- I thought it simply meant digitizing the audio using simple analog-to-digital techniques. The theory being your average joe with his receiver would only hear gibberish. I do now about the cases with the Govt. wanting a "back door" into encryption systems, but didn't that get trounced by everyone with any brains standing up and saying how incredibly unsafe it would make everything to have any "back door" built in? Chris (in the digital / encryption dark over here!) ------------------------------ From: Bernie Cosell Subject: Re: First Person broadcast on privacy Organization: Fanttasy Farm Fibers Date: Wed, 4 Aug 1993 11:06:08 GMT In article , John De Armond writes: } ... The owner of the facility has the right to do with it as he } pleases. Maybe it is because I've worked in government classified facilities } where it is always assumed that ANYTHING can be and usually is monitored, but } I just don't see the beef. If you want private E-mail, rent an account } on a system unrelated to work. If you want private voice-mail, do the same. } And if you want private paper mail, drop it in a US Postal service box. } IF working for a company that monitors its communications facilities } bothers you, either make a case to the company to change the policy or } find another employer. Let me just amplify the final point a bit: by and large, it is VERY hard for me to see how employer can allow a policy of ad-hoc mixing of person [and presumed private] facilities with real business facilities *at*all*. If, for example, you receive ALL of your email at "you@yourcompany.com", then what should happen if you're away? Must work stop? Or can your employer assign someone else to carry on your job... and if so, how could one separate the personal from the professional? Same thing with files [both computer AND paper!]: at some point, *someone* will have a legitimate business need to find something that you were last responsible for. How to locate it unless they have free rein to look through your directories [and file cabinets and desk drawers and such]? So I think that even John's last comment is more than you should expect: if that "bothers" you, you should reflect more on the difference between "business" and "personal", rather than hassling your employer about it. [Moderator's Note: We have a good policy here at Picatinny in that almost all individuals have email accounts. We also have Office accounts where "official" email goes. When I am away I have a daemon (actually 3 of them) handle incoming mail. One thing to consider is that most salaried people spend about 30% of their life or 40% of their waking hours at work. There is bound to be a mixing of personal/business matters. At home I have a notebook computer for the express purpose of doing unpaid work at home or if I have to dial in due to an emergency. Likewise, at work I have some personal stuff in my desk and computer. ._dennis ] /Bernie\ -- Bernie Cosell cosell@world.std.com Fantasy Farm Fibers, Pearisburg, VA (703) 921-2358 ------------------------------ From: "Wm. L. Ranck" Subject: Re: First Person broadcast on privacy Date: 4 Aug 1993 13:43:22 GMT Organization: Virginia Tech, Blacksburg, Virginia John Higdon (john@zygot.ati.com) wrote: : not depending upon them. Recently, a friend of mine was laid off from a : large (VERY large) company. In the five years that he worked there, he : had managed to get an e-mail account, voicemail, a company pager, and : Suddenly, he was virtually without communications. No e-mail, no : voicemail, nothing. What a scramble! He had to get an account on a : private system for e-mail (this one!), scrounged a fax machine, had his : pager moved to another account, etc., etc. The point is that you, the Ahhh. Poor baby! How can he possibly live without e-mail, fax, and a pager? Oh woe, oh my. Tsk, tsk. Anybody who feels seriously cut off because they don't have e-mail and a pager is way too hooked on tech gadgets. I'll admit, I like having e-mail and network access but if they disappeared tomorrow it wouldn't be *that* big a deal. I don't think I have received more than 3 or 4 faxes in the last year (all business related) and I have *never* seen a need for a pager. I can understand the need for those things in business, but I still get flak from family and friends for having an answering machine. I can't think of anybody that would ever try to contact me via fax or a pager for personal reasons. [Moderator's Note: It depends on the person. I depend on email and telephone. I know people who it wouldn't bother if they had no phone. At work I need the fax. I've been resisting attempts of people trying to get me a pager. A pager would limit my freedom. ._dennis ] -- * Bill Ranck (703) 231-9503 Bill.Ranck@vt.edu * * Computing Center, Virginia Polytchnic Inst. & State Univ., Blacksburg, Va. * ------------------------------ Date: Wed, 4 Aug 1993 6:29:13 -0400 (EDT) From: "Dave Niebuhr, BNL CCD, 516-282-3093" Subject: Mail, E-Mail and Telephone Privacy In Computer Privacy Digest V3 #007 "Patrick A. Townson" writes: >> Todd Jonz wrote: [... text about who can read mail deleted ...] > >Yes, In my opinion, the company DOES have the moral right to examine any >mail placed in its outgoing mail facility. How do I (as management) >know that the envelope actually contains a payment and not proprietary >information? I don't know about a moral right to examine any mail. If I decide to place my stamped envelope with my name and home address on it in the outgoing mail drop at work, I certainly don't expect my employer to open it to find out what the contents are. The on-site mail room is providing me with the convenience of not having to walk about two blocks (if I don't decide to do that) to give the envelope to the USPS myself (note the sig. for an official zip code, not a branch office). If, on the other hand, I receive mail at work and the envelope is addressed to my business address, I don't have a complaint against that; I am using their facilities to conduct business. The same goes for outgoing mail if, and only if, I use a business address and the employer's envelope. When it comes to personal mail, however, I do take a strong stand and the USPS regs state that the only person who is legally entitled to open that envelope is to whom it is addressed. E-mail and telephones are another thing. Even though my employer states that it will accept reasonable personal use of the phones, I still expect that it has the right to 'listen in' from time to tiime since that is who is paying the bill. I use US government computers; therefore, I expect that any and all e-mail can and will be read at my employer's convenience if it desires to do so. If I wanted to go to the extreme, then I'd set up a commercial account or install an Internet hookup on my own where I could exercise all degrees of privacy that I desired. Technically, I've broken some rule somewhere just by writing this since it is coming from a Department of Energy computer, just as the Digest comes from one belonging to the Army. Dennis, you've stated your perspective on this before. How about restating it now? Dave [Moderator's Note: Sure. If the employer is providing the service he/she has the right to monitor email, phone, or fax communication. Just because he has the right doesn't mean he/she should do it. In any case, the employer should put out what the policy is on this. I agreed with John Hidgon's post on personal use of business property. At our installation, the position on email is that it is private unless there is a need to look at one's email for abuse. Our director of IMD (Computer Services) will only let people look at other people's files under the commander's order. Part of the reason for this is security/need to know and another reason is to ensure that people will trust/use email. Dave mentions that this digest is run on a government computer. He is correct. Actually it is a SPARCstation II running MMDF as the mail transport agent and it feeds the digest into three nntp sites (uunet, arl.army.mil, and uky.edu). I am the (sole) system administrator of this system which is part of a much larger workstation network that I administer. Our local policy on personal use of the computer is basically we can use it to email and read/post news as long as it is kept to a minimum and not done on government time. I can run this list because it is semi-related to my job and I do it on my own time. Here at Picatinny we have several Internet wide mailing lists. I also run the an exploder list for the RISKS digest for military/government sites. I apologize for the length of this, I was just going write a short blurb. ._dennis ] Dave Niebuhr Internet: niebuhr@bnl.gov / Bitnet: niebuhr@bnl Brookhaven National Laboratory Upton, LI, NY 11973 (516)-282-3093 Senior Technical Specialist: Scientific Computer Facility ------------------------------ End of Computer Privacy Digest V3 #009 ******************************