Date: Wed, 04 Aug 93 14:31:51 EST
Errors-To: Comp-privacy Error Handler <comp-privacy-request@PICA.ARMY.MIL>
From: Computer Privacy Digest Moderator <comp-privacy@PICA.ARMY.MIL>
To: Comp-privacy@PICA.ARMY.MIL
Subject: Computer Privacy Digest V3#009
Computer Privacy Digest Wed, 04 Aug 93 Volume 3 : Issue: 009
Today's Topics: Moderator: Dennis G. Rears
Email Policy
Disparate policies (was "Re: First Person broadcast on privacy")
Re: First Person broadcast on privacy
Re: First Person broadcast on privacy
Re: First Person broadcast on privacy
Re: First Person broadcast on privacy
Mail, E-Mail and Telephone Privacy
The Computer Privacy Digest is a forum for discussion on the
effect of technology on privacy. The digest is moderated and
gatewayed into the USENET newsgroup comp.society.privacy
(Moderated). Submissions should be sent to
comp-privacy@pica.army.mil and administrative requests to
comp-privacy-request@pica.army.mil.
Back issues are available via anonymous ftp on ftp.pica.army.mil
[129.139.160.133].
----------------------------------------------------------------------
Date: 03 Aug 93 17:57:14 EDT
From: William Hugh Murray <75126.1722@compuserve.com>
Subject: Email Policy
Much of the discussion here suggests that if management reads employee
email, they are intrusive and capricious. It should be noted that
management has a positive responsibility to govern the use of all corporate
resources. Failure to do so will leave them, at best, open to charges of
imprudence; at worst it will leave them civilly or even criminally liable
for that failure.
The following guidance prepared for my clients may be of interest.
Copyright 1993, William Hugh Murray
Subject: Email Policy
Principles:
1. Every institution should have a policy dealing with the
use of internal communications by employees.
2. Policy should treat all communications including
telelphone, internal mail, voice mail, electronic mail, and
any other.
3. Policy should treat all internal communications in a
similar manner.
4. Policy should include the employee's responsibility to
conserve the institution's resources, a reference to the
employee's responsibility for security of data, and other
responsibilities on which management relies.
5. Policy should speak to the expectations of confidentiality
that the employee should have.
7. Policy should always reserve some right for management to
look at the contents of the communications in order to
preserve necessary options and to protect management when
some manager or management surrogate acts at or beyond the
limits of his authority.
6. Special consideration should be given to any interface
between internal communications and external and the
responsibilities and expectations that arise there.
Discussion:
The absence of a policy is an invitation to misunderstanding
and problems. Management should clearly spell out its
expectations and intentions. Misunderstandings between
management and employees have already resulted in contentious
and expensive law suits.
Email is already the dominant form of communications in some
organizations. It is used in many. As use increases, so
does the pressure for use. This is a novel form of
communications. While management may think that everyone
understands its intent and that everyone understands the
same, anecdotal evidence suggests otherwise.
The policy should treat all internal communications
equitably and consistently. Employees can be expected to
project expectations learned from telephone and internal mail
on to vmail and email. Differences may cause
confusion or encourage one mode at the expense of an
otherwise more efficient one. Exceptions or differences
should be highlighted.
Communications add greatly to the effectiveness of any
institution. They are also a major cost of doing business in
the modern world. Like other cost of business,
communication cost has a fixed component that is relatively
insensitive to changes in load or use, and a variable component
that varies directly with the number and length of messages.
Because the relation between fixed and variable cost are
different for every business, and because the use of
communications affects each institution's objectives
differently, each institution has a different objective of
how to regulate the use. Institutions with high fixed cost,
low variable cost, and a desire to encourage communications
use in general, may be prepared to tolerate some employee use
of internal communication, in part to encourage all use.
Those with low fixed cost, high variable cost, and low
dependence on communications, may wish to discourage all
employee use.
The policy should clearly express the employee's
responsibility to conserve the resources of the
institution. It should spell out the conditions under which
management is prepared to tolerate employee use or mixed
business and employee use. For example, "business
communications facilities are to be used only for business
purposes. In emergencies exceptions may be individually
approved by managers." Alternatively, "business
communication facilities are to used only for management
approved purposes. Personal use should normally be
restricted to emergencies or work/family arrangements.
Finally, "While intended for business use, reasonable and
limited use of business communications facilities is
permitted as an accommodation of the work place. Employees
are expected to reimburse any toll charges." All three of
these are reasonable and defensible policies, but will result
in very different levels of personal use.
Likewise, the policy should speak to the employee's
responsibility to protect the resources from conversion. For
example, "Employees are expected to protect and reserve to
their own use all codes, account numbers, credit cards,
passwords, tokens, keys, and other mechanisms provided to
facilitate their use of business communications facilities.
All compromises should be reported on a timely basis."
The policy should communicate to the employees what
expectation of privacy or confidentiality they may have. For
example, "In order to meet its responsibilities to its
constituents, management routinely examines the contents of
all communications on its facilities." Alternatively,
"Management reserves the right to look at the content of all
messages on its facilities. Employees are encouraged to use
alternative channels for confidential messages." Finally,
"Management respects the rights of employees to a reasonable
expection of confidentiality in their use of communications.
Management will look at the content of messages only in
emergencies and will treat the contents of all such messages
as privileged communications between the originator and the
addressees."
When otherwise permitted by policy, employees may use
business communications facilities for otherwise privileged
communications. For example, an employee may drop a
sealed white envelope with a postage stamp, addressed to an
outsider, into the internal mail with the expectation that the
mailroom will deliver it to the post office. If the policy
permits and if the mailroom will routinely do this, then the
mailroom may have assumed the responsiblity to treat this
envelope as first class mail, and management may have given
up the right to look at the contents.
While it has not yet been litigated, managment should be
sensitive to the fact that providing a gateway to an external
email system and permitting employees to use the gateway, may
make management party to a contractual or other obligation to
respect the confidentiality of the message, even while it is
on the internal system. It may be useful for policy to speak
to these issues.
------------------------------
From: Todd Jonz <Todd.Jonz@corp.sun.com>
Subject: Disparate policies (was "Re: First Person broadcast on privacy")
Date: 3 Aug 1993 22:30:56 GMT
Organization: Sun Microsystems, Inc.
In an earlier posting about personal privacy and corporate voice and data
networks I wrote:
> I find it difficult to apply a common standard to seemingly similar
> situations....It seems to me we need a single, consistent policy
> that covers all these bases.
I was somewhat surprised that all of the responses to this posting
supported the idea that employers have every right to snoop on their
employyees in just about any way they see fit. (I happen to agree with
this point of view, although, like all of us, I certainly hope that
they exercise this right judiciously.) Actually, I had expected to see
at least a few slightly more libertarian views expressed on the topic,
as is the case more often than not on some of the newsgroups I
frequent. I guess I just haven't been following this one long enough
to have a clear picture of its demographics. ;-)
gatech!dixie.com!jgd@uunet.uu.net writes:
> Maybe it is because I've worked in government classified facilities
> where it is always assumed that ANYTHING can be and usually is
> monitored, but I just don't see the beef....IF working for a company
> that monitors its communications facilities bothers you, either make
> a case to the company to change the policy or find another
> employer.
There's no beef. If I somehow left the impression that Sun is snooping
on me and that I'm angry about it, please let me dispel that idea right
now. I was merely indulging in a bit of public speculation on a topic
that interests me. Sun does not, to the best of my knowledge, perform
any routine monitoring that I would personally consider to be
unsavory.
ptownson@delta.eecs.nwu.edu writes:
> 'Single and consistent policies' tend to work to the employer's
> favor, not yours. If you tell your employer you don't think he is
> being consistent by examining your email but not listening to your
> phone calls, your employer might well decide to start listening to
> phone calls as well in order to provide that consistency which is so
> important to you.
I agree that "single and consistent policies" tend to be arbitrarily
rigid and generally inflexible. But I think this response misses my
point. If I were in a situation where some controversy arose over my
use of, say, an e-mail facility, I would inquire as to whether the same
policies are applied to the telephone facilities, and if they weren't I
would challenge the rule makers to justify the differences. This might
work for me or against me depending on the specifics of the situation,
but in any event it would draw a lot of public attention to any
discrepancies, which I doubt would thrill my hypothetical employer.
In my experience it's very likely that companies don't really have
formal, published policies on a lot of these issues. I've participated
in several software development projects which involved access to
company networks and systems by non-employees, and when security
questions were raised by the development team, we discovered somewhat
to our surprise that no appropriate policies existed at all.
I think that when it comes to matters as delicate as privacy, a formal,
published policy is extremely important. Whether I personally like or
agree with the policy is not important; that a formal policy exist is,
I believe, essential. After all, how will I know if my "rights" have
been violated if no one has ever bothered to define exactly what rights
I have, if any? IMHO this is a case in which making up the lyrics
while you sing the song is thoroughly unacceptable.
Finally, in an article from an unrelated thread, 0004854540@mcimail.com
refers to a situation in which two disparate policies are applied to
essentially equivalent technologies:
> Cellular phones have been monitored for a long time because they
> operate in readily-tunable frequencies. This is now becoming an
> issue because it has become public knowledge- the result is pressure
> on cellular providers to go with digital cellular to help keep calls
> private.
In light of recent rules changes, radios that are capable of or
"easily" modified to scan cellular telephone frequencies may no longer
be sold in the U.S. These rules, as well as the Electronic
Communications Privacy Act (which essentially makes it illegal for you
and me to listen to someone else's cellular telehone converstaion and
then discuss it idly over lunch) were pushed through the Congress by a
very powerful and well-funded cellular telephone lobby in an attempt to
impart what I consider a completely false sense of privacy to cellular
telephone users.
Contrast this with the fact that when police have used recordings of
cordless telephone conversations as evidence in criminal proceedings,
and defense attorneys have argued that their clients' right to privacy
has been violated, judges have repeatedly held that cordless telephones
operate on the "public air waves", and that their users should have no
reasonable expectation of privacy and ruled the evidence to be
admissible.
What's the difference between a cordless telephone and a cellular
telephone? Certainly none that is significant from a technical
perspective. Can anyone propose a scenario justifying why the rules
about eversdropping on cellular and cordless telephone conversations by
the general public should be regulated differently? I sure can't....
[Moderator's Note: The only thing I can think of is that one eavesdrops
on cordless phone rather easily. Every now and then I about to make a
call and I start hearing someone's converstation. ._dennis ]
-- Todd
------------------------------
Subject: Re: First Person broadcast on privacy
From: "Roy M. Silvernail" <roy@sendai.cybrspc.mn.org>
Date: Tue, 3 Aug 1993 18:29:17 CST
Organization: The Villa CyberSpace, executive headquarters
In comp.society.privacy, 0004854540@mcimail.com writes:
> Would that this were true. In fact what is happening is that the cellular
> providers are putting pressure on Governmental agencies to ban receivers
> capable of picking up cellular phone calls, or to make their use illegal.
I'm not sure that was the cellular providers' idea. More of a now
typical legislative knee-jerk.
> What's worse is that the introduction of digital cellular is being delayed
> because the encryption provided was *too* good for the Government's liking.
As has been discussed on the TELECOM Digest, cellular providers have to
do _something_ soon simply to stem the tremendous fraud rate. The
present analog system, with in-band signalling, is not even slightly
secure. The cellphone's Electronic Serial Number (the magic number that
represents this one phone to the network) is sent in the clear with
every call setup. Sure makes shoulder surfing easier. ;-)
--
Roy M. Silvernail -- roy@sendai.cybrspc.mn.org will do just fine, thanks.
perl -e '$x = 1/20; print "Just my \$$x! (adjusted for inflation)\n"'
"Does that not fit in with your plans?"
-- Mr Wiggen, of Ironside and Malone (Monty Python)
------------------------------
Date: Wed, 4 Aug 93 03:38 GMT
From: Christopher Zguris <0004854540@mcimail.com>
Subject: Re: First Person broadcast on privacy
In COMPUTER PRIVACY V3#008 hugh_davies.wgc1@rx.xerox.com writes:
>>>
Would that this were true. In fact what is happening is that the cellular
providers are putting pressure on Governmental agencies to ban receivers
capable of picking up cellular phone calls, or to make their use illegal.
What's worse is that the introduction of digital cellular is being delayed
because the encryption provided was *too* good for the Government's liking.
<<<
Granted, the cellular carriers are putting up a smoke screen with the ban
on receivers as a way to cover their backsides cheaply. But now that I think
about it the wider publication about cellular fraud and cloning adds further
pressure towards digital. I just read somewhere that the switch to digital
is closer than it was and is only now hindered by "technical issues /
differences". But the bottom line is the pressure is there and I don't
believe the cellular providers can dodge criticism for the poor security
inherent in their current system.
As far as encryption, I didn't realize digital cellular necessarily meant
encryption (I may very well be dead wrong here, I'm not that familiar with
digital cellular)- I thought it simply meant digitizing the audio using
simple analog-to-digital techniques. The theory being your average joe with
his receiver would only hear gibberish. I do now about the cases with the
Govt. wanting a "back door" into encryption systems, but didn't that get
trounced by everyone with any brains standing up and saying how incredibly
unsafe it would make everything to have any "back door" built in?
Chris
(in the digital / encryption dark over here!)
------------------------------
From: Bernie Cosell <cosell@world.std.com>
Subject: Re: First Person broadcast on privacy
Organization: Fanttasy Farm Fibers
Date: Wed, 4 Aug 1993 11:06:08 GMT
In article <comp-privacy3.7.3@pica.army.mil>, John De Armond writes:
} ... The owner of the facility has the right to do with it as he
} pleases. Maybe it is because I've worked in government classified facilities
} where it is always assumed that ANYTHING can be and usually is monitored, but
} I just don't see the beef. If you want private E-mail, rent an account
} on a system unrelated to work. If you want private voice-mail, do the same.
} And if you want private paper mail, drop it in a US Postal service box.
} IF working for a company that monitors its communications facilities
} bothers you, either make a case to the company to change the policy or
} find another employer.
Let me just amplify the final point a bit: by and large, it is VERY hard
for me to see how employer can allow a policy of ad-hoc mixing of
person [and presumed private] facilities with real business facilities
*at*all*.
If, for example, you receive ALL of your email at
"you@yourcompany.com", then what should happen if you're away?
Must work stop? Or can your employer assign someone else to carry
on your job... and if so, how could one separate the personal from
the professional?
Same thing with files [both computer AND paper!]: at some point,
*someone* will have a legitimate business need to find something
that you were last responsible for. How to locate it unless they
have free rein to look through your directories [and file cabinets
and desk drawers and such]?
So I think that even John's last comment is more than you should
expect: if that "bothers" you, you should reflect more on the
difference between "business" and "personal", rather than hassling your
employer about it.
[Moderator's Note: We have a good policy here at Picatinny in that
almost all individuals have email accounts. We also have Office accounts
where "official" email goes. When I am away I have a daemon (actually 3
of them) handle incoming mail.
One thing to consider is that most salaried people spend about 30% of
their life or 40% of their waking hours at work. There is bound to be a
mixing of personal/business matters. At home I have a notebook computer
for the express purpose of doing unpaid work at home or if I have to dial
in due to an emergency. Likewise, at work I have some personal stuff in
my desk and computer. ._dennis ]
/Bernie\
--
Bernie Cosell cosell@world.std.com
Fantasy Farm Fibers, Pearisburg, VA (703) 921-2358
------------------------------
From: "Wm. L. Ranck" <ranck@joesbar.cc.vt.edu>
Subject: Re: First Person broadcast on privacy
Date: 4 Aug 1993 13:43:22 GMT
Organization: Virginia Tech, Blacksburg, Virginia
John Higdon (john@zygot.ati.com) wrote:
: not depending upon them. Recently, a friend of mine was laid off from a
: large (VERY large) company. In the five years that he worked there, he
: had managed to get an e-mail account, voicemail, a company pager, and
: Suddenly, he was virtually without communications. No e-mail, no
: voicemail, nothing. What a scramble! He had to get an account on a
: private system for e-mail (this one!), scrounged a fax machine, had his
: pager moved to another account, etc., etc. The point is that you, the
Ahhh. Poor baby! How can he possibly live without e-mail, fax, and a
pager? Oh woe, oh my. Tsk, tsk.
Anybody who feels seriously cut off because they don't have e-mail and
a pager is way too hooked on tech gadgets. I'll admit, I like having
e-mail and network access but if they disappeared tomorrow it wouldn't
be *that* big a deal. I don't think I have received more than 3 or 4
faxes in the last year (all business related) and I have *never* seen a
need for a pager. I can understand the need for those things in business,
but I still get flak from family and friends for having an answering machine.
I can't think of anybody that would ever try to contact me via fax or a pager
for personal reasons.
[Moderator's Note: It depends on the person. I depend on email and
telephone. I know people who it wouldn't bother if they had no
phone. At work I need the fax. I've been resisting attempts of people
trying to get me a pager. A pager would limit my freedom. ._dennis ]
--
* Bill Ranck (703) 231-9503 Bill.Ranck@vt.edu *
* Computing Center, Virginia Polytchnic Inst. & State Univ., Blacksburg, Va. *
------------------------------
Date: Wed, 4 Aug 1993 6:29:13 -0400 (EDT)
From: "Dave Niebuhr, BNL CCD, 516-282-3093" <NIEBUHR@bnlcl6.bnl.gov>
Subject: Mail, E-Mail and Telephone Privacy
In Computer Privacy Digest V3 #007
"Patrick A. Townson" <ptownson@delta.eecs.nwu.edu> writes:
>> Todd Jonz <Todd.Jonz@corp.sun.com> wrote:
[... text about who can read mail deleted ...]
>
>Yes, In my opinion, the company DOES have the moral right to examine any
>mail placed in its outgoing mail facility. How do I (as management)
>know that the envelope actually contains a payment and not proprietary
>information?
I don't know about a moral right to examine any mail. If I decide to
place my stamped envelope with my name and home address on it in the
outgoing mail drop at work, I certainly don't expect my employer to
open it to find out what the contents are.
The on-site mail room is providing me with the convenience of not
having to walk about two blocks (if I don't decide to do that) to
give the envelope to the USPS myself (note the sig. for an official
zip code, not a branch office).
If, on the other hand, I receive mail at work and the envelope is
addressed to my business address, I don't have a complaint against
that; I am using their facilities to conduct business. The same
goes for outgoing mail if, and only if, I use a business address and
the employer's envelope.
When it comes to personal mail, however, I do take a strong stand
and the USPS regs state that the only person who is legally entitled
to open that envelope is to whom it is addressed.
E-mail and telephones are another thing. Even though my employer
states that it will accept reasonable personal use of the phones, I
still expect that it has the right to 'listen in' from time to tiime
since that is who is paying the bill.
I use US government computers; therefore, I expect that any and all
e-mail can and will be read at my employer's convenience if it desires
to do so.
If I wanted to go to the extreme, then I'd set up a commercial account
or install an Internet hookup on my own where I could exercise all
degrees of privacy that I desired.
Technically, I've broken some rule somewhere just by writing this since
it is coming from a Department of Energy computer, just as the Digest
comes from one belonging to the Army.
Dennis, you've stated your perspective on this before. How about
restating it now?
Dave
[Moderator's Note: Sure. If the employer is providing the service
he/she has the right to monitor email, phone, or fax communication. Just
because he has the right doesn't mean he/she should do it. In any case,
the employer should put out what the policy is on this. I agreed with
John Hidgon's post on personal use of business property.
At our installation, the position on email is that it is private unless
there is a need to look at one's email for abuse. Our director of IMD
(Computer Services) will only let people look at other people's files
under the commander's order. Part of the reason for this is security/need
to know and another reason is to ensure that people will trust/use email.
Dave mentions that this digest is run on a government computer. He is
correct. Actually it is a SPARCstation II running MMDF as the mail
transport agent and it feeds the digest into three nntp sites (uunet,
arl.army.mil, and uky.edu). I am the (sole) system administrator of this
system which is part of a much larger workstation network that I administer.
Our local policy on personal use of the computer is basically we
can use it to email and read/post news as long as it is kept to a minimum
and not done on government time. I can run this list because it is
semi-related to my job and I do it on my own time. Here at Picatinny we
have several Internet wide mailing lists. I also run the an exploder
list for the RISKS digest for military/government sites.
I apologize for the length of this, I was just going write a short
blurb. ._dennis ]
Dave Niebuhr Internet: niebuhr@bnl.gov / Bitnet: niebuhr@bnl
Brookhaven National Laboratory Upton, LI, NY 11973 (516)-282-3093
Senior Technical Specialist: Scientific Computer Facility
------------------------------
End of Computer Privacy Digest V3 #009
******************************