Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Privacy

Where is the Line on Email Privacy? 103

Posted by Cliff from the dicey-moral-issues dept.
A Conflicted Hosting Admin asks: "Imagine you're a webmaster running your own server. You provide email accounts to a third party as a 'service' in addition to hosting a web site for the third party. Now, suppose that one of the companies that you are hosting a site and email addresses for decides they need access to an email account for a previously disassociated employee. Does that company now have access to the email even though there is no written contract nor technology use policy? Where does the independent hoster look for guidance on something such as this?"

"It could be interpreted that the company is looking for evidence of impropriety or dishonesty on the part of the prior employee, but there was never a question before the sudden termination to suggest anything out of the ordinary was ongoing. I am such an admin. I am ready to allow access to the company requesting it. Several details are bugging me though. First, I have never been asked for access to any other terminated employees' email. Second, I recently inquired about preserving email for a different employee and got the short answer that all company ties had to be completely terminated. Third, the server is not owned by the company in question. I'm completely (other than the following item) independent of the company. Fourth, it's my relative's account.
I've simply not responded so far, but how far do I go? I'm not an ISP and I don't have agreements with the users. I'm also not the IT dept. Has anyone else had anything remotely similar, and if so; how did you respond?"
This discussion has been archived. No new comments can be posted.

Where is the Line on Email Privacy? More

Where is the Line on Email Privacy?

Comments Filter:

  • Is this a business account? (Score:5, Insightful)

    by kinnell ( 607819 ) on Friday January 30, 2004 @06:18AM (#8133134)
    If the email account in question is a work account provided to the employee by the company for work use, then the contents of the account are normally the property of the company, not the employee. Normally, the employee should not be using the account for personal use anyway, so any violations of his privacy are his own fault. Business email accounts generally contain a lot of valuable information pertaining to the job of the former employee which the company is perfectly entitled to recover.

    • Re:Is this a business account? (Score:5, Interesting)

      by hummassa ( 157160 ) on Friday January 30, 2004 @07:12AM (#8133336) Homepage Journal
      NOT here in Brasil. E-mail is by law on par with telephonical communications, so tapping without judicial warrant is a crime. Total privacy is expected.

      My personal policy in those cases is: the mailbox was empty at the time the account was blocked. All e-mail to it was bounced since.

      • Re:Is this a business account? (Score:1, Insightful)

        by Anonymous Coward
        You can't legislate security. Laws do not stop people from listening to wireless telephone calls with baby monitors or scanners. If you want privacy in email communications then use PGP, or GnuPG.

      • NOT here in Brasil. E-mail is by law on par with telephonical communications, so tapping without judicial warrant is a crime. Total privacy is expected.

        You, but no matter where you are a lot hinges on whose account it was--the company's or the employee's. Sometimes, it's obvious (bob.smith.personal@company.com or customer.service@company.com) but most of the time it's not. Many small companies have customers direct mail to an individual ("just send me your shipping info and I'll get that right out to

        • No, no, no, to the law only matters whose communication it is. So, my mailbox in the company account is mine. It's my communication. Even if stated in a contract, the clause can be voided because of this.
          • but to perform that communication you are using work equipment...work bandwidth...work software licenses owned by the company. There is no reason that you should think that any of this belongs to you. If you program software on your work computer during work time, it is owned by the company, not you, why would email be any different??
            • If you program software on your work computer during work time, it is owned by the company, not you

              I believe by UK law that is not the case. software programmed by you that has no relevance to your job whatsoever is still owned by you. Interestingly, you can also claim ownership of program code in your field of work if you come up with an innovation in that field that you would not be expected to produce, ie coming up with a brand new ultra high speed sorting algorithm while doing some low level grunt

              • I believe by UK law that is not the case. software programmed by you that has no relevance to your job whatsoever is still owned by you.

                Really? If, as the grandparent post said, the software was written on work time, I'd assume (but it is an assumption) that it belonged to my employer.

                My employment contract does state explicitly that the company has no claim over anything I write using neither work resources nor work time, which seems a reasonable compromise on the "who owns it" question. I wasn't awa

                • hmm.. istr that what i said is true, but right now I can't find rteference to it online. I originally found it when I was in the library reading books abut copyright law, but it was a couple of years ago and my notes are in a notead elsewhere.

                  not much help I know but if it's important to you, central libraries have lots of useful books about this kinda thing :)

                  dave
            • So? It's your own communication and you have an expectation of privacy unless your business specifically states something like, "Emails are being monitored for quality control purposes" or similar telephone conversations.

              You're stupid to think that just because someone else owns the lines, you suddenly don't have any privacy. The telephone company owns the lines you use to tell the latest dirty secret to your wife.. by your logic, they have a right to listen in.

              Duh!
              • We were talking about a company. About doing things on company time. Get a clue you screwhead, you are purchasing a service from the phone company, but when you are an employee you are doing work FOR someone. And I put disclaimers in both a login script and the company handbook about email being the property of the company, any admin that doesnt probably shouldnt be an admin.
                • You're exactly right. I work for a company which has taken the same approach, with great results. If we're paying you, we get to monitor your traffic to make sure you're actually working and not just goofing off posting comments on /.

                  Oh wait...dammit.....
                • Hey. Idiot. It's irrelevant whether you're doing things on company time. The company doesn't OWN the employee during the hours he's working for them. He does NOT become a zombie drone-slave, and there's this little thing called basic human rights that each of us enjoy--since, as you may or may not be aware, we all live in a first-world country that supposedly treasures freedom.

                  The owner of the email is the employee, and the only one with the right to read it is the recipient, unless it's corporate email.

                  P
                  • Its troll's like you that get fired because they fuck off on 'THEIR' computer because they feel the company owe's them something, then because of their own inability to cope with a work environment and function in society, they go on welfare and make me pay more taxes to support their fucking lazy bum asses while you marry some fat chick and have 6 kids to sponge off every welfare program available. Its called COMPANY EMAIL for a reason, it belongs to the company. You perform company business over it, it
                    • That the best you can do?

                      You're damn fucking straight a company owes me something: Simple human dignity. If you treat an employee like a fucking scumbag, they're far more likely to act like one.

                      And who's the troll? I have no problem putting food on the table, and I won't have a problem doing so for many years to come.

                      If the only way to communicate with personal relations is via company email, the company has no right to listen in to the latest saga in that employee's personal health problems.

                      You think y

                    • Its troll's like you that get fired because they fuck off on 'THEIR' computer...go on welfare and make me pay more taxes to support their fucking lazy bum asses...Its called COMPANY EMAIL for a reason, it belongs to the company...your damn right I own it!!

                      Quite aside from what the law says or doesn't say, it's asshole bosses like you who make companies fail.

                      Treat your employees like shit, and you'll never get good performance. It is fundamentally impossible to have accurate communication with people

                    • override11 whined:
                      [...] and make me pay more taxes to support their fucking lazy bum asses while you marry some fat chick and have 6 kids [...]

                      I think you slipped and made your personal prejudices a little bit too apparant there.

                      Pete.
                    • Bull, you can pick up the phone and call them FROM HOME! the point is that personal calls / emails / communications do not belong at work! THE CONVERSATION IS ABOUT EMAIL! I didnt say anything about toilets, jesus christ dude, I could give a crap about that. The whole point is that there should be a seperation between home life and work life. If you had an employee that YOU were paying spending 30% of their time penning emails home or sitting on the phone, you are saying you wouldnt care???? That you w

                    • If you had an employee that YOU were paying spending 30% of their time penning emails home or sitting on the phone, you are saying you wouldnt care???? That you wouldnt audit their email and phone use to verify that they are spending a ton of time on personal business, then fire them for it????

                      If they're spending 30% of their time on personal phone calls, their work won't get done, their job performance will be terrible, and you'll have adequate grounds for termination - without having to audit e-mail o

                    • I am sorry, the prior poster was pissing me off. The last thing I want to do all day is look at ANYONE's email. I dont care, and frankly its none of my business. The whole point is the RIGHT to. As a company, the email and the equipment is owned by the company, and the fact that the employee feels they have the right to use them for personal business is rediculous.

                    • As a company, the email and the equipment is owned by the company, and the fact that the employee feels they have the right to use them for personal business is rediculous.

                      But is it?

                      Of course, as an employer, you're entitled to expect your employees to do their jobs to the best of their ability, in exchange for whatever compensation you agreed. That is not in question.

                      However, you also have to recognise that you're employing real people with real lives. Some things basically have to be done during o

                • We were talking about a company. About doing things on company time. [...] And I put disclaimers in both a login script and the company handbook about email being the property of the company, any admin that doesnt probably shouldnt be an admin.

                  Ah, so that's your bias here. You're not by any chance also based in the US, are you? This heartfelt attitude of "employees are slaves to their employers" seems to be peculiar to (management in) that part of the world.

                  Fortunately, just because you wrote somethin

          • Re:Is this a business account? (Score:4, Interesting)

            by MarkusQ ( 450076 ) on Friday January 30, 2004 @11:21AM (#8134874) Journal

            No, no, no, to the law only matters whose communication it is.

            Fine, but that doesn't change my point.

            So, my mailbox in the company account is mine. It's my communication.

            It might be, but it might be someone you have never met trying to contact the company to get a problem resolved, order something, etc.

            My point is and was that you can't reasonably assume that all mail that comes to someone's e-mail account at work is an attempt to communicate with them and not an attempt to communicate with the company. If bdp@cryptic.com is answered by a guy named Bruce for a while and then subsequently given to someone named Betty, it might be a case where she's getting his personal communications (e.g. he's Bruce Donald Parsly and she's Betty Due Purdy), or it might be the company's (e.g., they both handle support for the company's Best Darned Product (tm) and he's just been promoted to janitor, leaving her stuck withall the support mail).

            The point? You can't tell for sure without more information.

            -- MarkusQ

          • In the US this simply isn't true.

            IF the facilities are owned by the company, then you have no privacy. It's as simple as that. Haven't you guys heard of all the neat spyware some employers use to watch the activities of employees? That's all legal in a work setting.

            The thing that puts this into a gray zone in my mind is that the company doesn't own the hardware. They own the email address itself to the extent that you own mycompany.com. Yet if this provider is doing this without compensation I would ima
    • If the email account in question is a work account provided to the employee by the company for work use, then the contents of the account are normally the property of the company, not the employee.

      This is incorrect. An employee has a right to privacy, even for work provided email, here in the EU.

    • Re:Is this a business account? (Score:5, Interesting)

      by (trb001) ( 224998 ) on Friday January 30, 2004 @10:44AM (#8134518) Homepage
      Specifically, whoever paid for the accounts is the owner. Assuming that the company is paying you to host the site/mail accounts, they own them all and 'sublet' the accounts to their employees. Once that employee has vacated, the account is yours again.

      --trb
    • My small gamedev co. used to serve up our own email, but when we downgraded from a T1 to DSL (we were sharing the T1 with a neighbor who moved) we switched to hosting.

      Since we were used to full control, we went with something that provided administration features via the webmail system. With this we can set up lists, and more relevantly to this issue, set users passwords (among other things).

      If ever somebody left the company (good terms or not) and we needed access to their email (for evidence, or just
      • I know, it doesn't help with the current situation of allowing access or not, but it would help to keep it from happening in the future.
        Also, our CEO also has the password to the admin account, so if the Sr. producer left, the CEO would still be able to access it.
    • a work account provided to the employee by the company for work use

      It's generally recognized, though, that individuals are permitted to do private things while at work. One's spouse calls on the company phone to have one bring stop at the store to bring home some tofu or whatever: the phone (and email) is a conduit to the private world.

      At the University of California a former employee's email account might be suspended but it is never released to that former employees nominal employer (the supervisor,
  • IANAL, in the UK the standard policy is to quote the Data Protection Act and delete any evidence.

    If the employee's contract, like mine, states that the company owns all e-mail communication then they owns it.

    • Re:employee contact (Score:3, Interesting)

      by shaitand ( 626655 )
      If the company's account without the ISP DOESN'T state the company owns it, wouldn't it actually be the ISP's property?
    • If the employee's contract, like mine, states that the company owns all e-mail communication then they owns it.

      Nope, because you are in the EU and the EU Human Rights convention grants you the right to have your privacy respected, as implemented in, eg in the UK, the Human Rights Act. There already has been a case before the EUCHR on this subject, i cant find reference to in google unfortunately, but the gist was that an employer read an employees mail and discovered they were gay and the employer was tak

  • In my case (Score:2, Interesting)

    by sdukaric ( 640170 )
    I'm providing some of those services to some smaller bussines. If I've got information that some user is not longer working for that company, I would delete/remove all the data associated with him same moment. There is few catches about it, but as sooner You remove them, the less chance is to end up with some horny manager asking for mail from cute secretary which was fired. To sum up, I'll go with "right on time" removal of all former employee data, and in case employee still HAS account/data in my syste

    • Re:In my case (Score:3, Insightful)

      by JohnQPublic ( 158027 )

      I'm not going ethical into these things, I'm selling services...

      If that's so, then you shouldn't be doing what you said you'd do. If your customer (the employer) tells you to delete the account, you delete it. But if they want the data, at least in the USA, it's theirs. And if you delete it, expect them to ask for the data to be restored from your backups.

      Failing to turn it over to them or deleting it without their permission may get you sued, and rightly so. Unless your contract with the employer s

  • Remeber who is paying (Score:5, Interesting)

    by elp ( 45629 ) on Friday January 30, 2004 @06:27AM (#8133177)
    I work for a shared website hosting company, our policy is that the entity paying for the site and the mailboxes owns them, in this case the company.

    How they choose to use the mail boxes is their business. Trying to override your customers idea of correct policy towards their staff will only cost you their business and the resulting bad reputation will hurt you.

    My sympathies if its your relative, you could always lie and say that the box was deleted when the employee left.
    • That's what I said in my other comment about my personal policy on this (and yes, I sysadmined six years);

      Scenario 1:

      Co -- hi. this is your client, company X, and we'd like to disable account to employee Y.
      Me -- ok, one minute, ok. the account is disabled.
      Co -- oh, and I would like the content of the mailbox to be sent to employee Z.
      Me -- ok, one minute, ok. the mbox was empty [NOTE: don't even bother to look].
      Co -- oh, and I would like to redirect all e-mail sent to it to employee Z, also.
      Me -- ok, one m
      • OK, now THAT'S unethical. You're outright lying to your customer. I sure hope my company never does business with yours.

      • You email passwords? Unencrypted? In the freakin' clear?

        Dude... I'm nervous about giving passwords over the phone if I don't know the recipient well. That's trusting a lot of security, including their [the recipient of the password] Outlook Express and virus scanner. Odds are, that email will be saved. Some viruses have forwarded out old emails for fun.

        Are you still a sysadmin?

        • 1. who said anything about e-mail?
          2. who said anything about unencrypted?
          3. yes and no. I work as a developer and as a system administration (yes, security) consultant.

          HTH,
          • Sorry. Read the "send the password" as via email, when it does not specifically say, and I've never seen a sales droid who used encrytped or signed email of any kind. Wasn't awake and needed to rant. Please don't take it personally.

            -Josh
            • According to Kevin Mitnick roughly (insert large number here)% of all 'computer hacking' is done via social engineering. Why spend weeks or months on a distributed network hacking 4096-bit encryption when you can hire a 36DD-24-36 from the local stripper shack to get one of the guys to just tell her his password simply by pretending she likes him?

              Old story - a sys/admin at company I was doing consulting for was bragging on his security at lunch with me one day, I told him I could hack my way onto his netw

  • IANAL (Score:3, Interesting)

    by orthogonal ( 588627 ) on Friday January 30, 2004 @06:27AM (#8133179) Journal
    Does that company now have access to the email even though there is no written contract nor technology use policy?

    me look left
    me look right

    me still sees no lawyers.

    This is an ethical or moral or legal question (depending on your particular viewpoint).

    Slashdot, to the extent it's not a troll-fest and crap-flooder's convention, is a technical forum.

    That said, this techie's understanding of the relevant law is that an employee's email, as any other work-product, belongs to the company that paid for the email account and paid the employee for the time the employee spent producing the email.

    On the other hand, at one time and place -- Feudal Europe -- "employers" thought they also had the right of droit du seigneur [bartleby.com] too, so we shouldn't fall into the trap of believing that something is right just because it's legal.

    Perhaps by asserting that privacy trumps payment you'll be striking a blow for freedom that will be remembered, centuries from now, as the beginning of our liberation from employers who today claim that they can lock employees in warehouses, denying them medical attention [metafilter.com] or can strip search workers accused of theft. [hubbartt.com]
    • On the other hand, at one time and place -- Feudal Europe -- "employers" thought they also had the right of droit du seigneur...

      This is almost entirely, if not entirely, a myth [snopes.com].

  • Policy, policy, policy (Score:5, Informative)

    by Jon Peterson ( 1443 ) <jonNO@SPAMsnowdrift.org> on Friday January 30, 2004 @06:27AM (#8133180) Homepage
    Hi,

    As resident information officer for my little company, I've had both legal advice (in UK) and experience of similar situations.

    First off, the paperwork you need to worry about is the stuff between you (3rd party email services provider) and your customer (the company). What the company did or didn't say to the employee isn't really your problem - although it is their problem.

    Now, ideally, your contract, or your services schedule would contain something saying just what happens in this situation. If not - now's the time to add it!

    I would think that if the company phoned up and said 'sorry to be thick but I've forgotten the password for account xyz can you reset it?' then you'd do that, because handling lost or forgotten passwords is what you as service provider do.

    And that, basically is what has happened. Now, it _may be_ that the company actually promised the employee that it wouldn't read their old email once they'd left (a somewhat odd promise anyway). But, that's not your problem. You aren't helping the company break its promise, because you don't know about it's promise.

    More importantly it's NOT YOUR PLACE to determine your customer's privacy policies. That's actually quite important because your customers are (under UK law) liable for YOUR decisions regarding privacy. In order to deal with that liability your customers need to know what you will do in a given situation, and simply turning round and saying 'sorry dude I'm not going to tell you that' isn't good enough. A privacy policy that's too strict is just as bad as one that's too loose.

    That last sentence may seem odd, but consider this. Your customer is liable under the UK Data Protection Act for any personal information it holds. Now, just before Employee left the company, someone sent a copy of their CV to Employee on the off chance of getting a job. Now, that CV is sensitive personal information, and Company MUST be able to access it and/or remove it if the author of the CV so requests.

    So, it's no good them saying 'sorry, we can't delete your CV from our mail server because our ISP won't let us, so I guess it'll just hang around on the hard disk for ages until some guy somewhere with a root password takes a look at it'.

    No good at all, you see?

    So, my advice is:

    1) Don't play 'privacy hero' and decide what your customers can and can't do.
    2) Get some data protection rules into your contracts asap.
    3) Meanwhile act assuming that the customer is honest and decent - if they aren't it won't be your fault, but if you pre-judge them as evil spying people then it will be your fault

  • Where's the problem? (Score:1)

    by Anonymous Coward
    Okay, if it was a personal account it would be different. But come on! Personal email addressses are a dime a dozen - who would use their work email address for personal things if they didn't want their employer to be able to read them?
  • and any data protection/human rights/RIPE style laws in place.

    In the UK, I think the answer would be know with a policy document that the 'user' has agreed to. This of course is still open to question as the UK human rights law and RIPE laws currently contradict each other on this. So until a court decides which has precident it's unclear.

  • How about ... (Score:2, Insightful)

    by Anonymous Coward
    How about you make a (verified) copy of the mailbox in question and (secretly) keep a copy on CD. Send a copy to the employee. Delete the mailbox.

    Contact the company and say that as the employee was termintated you (following standard procedure) removed the mailbox and sent a copy to the 'mailbox owner', the employee.

    Say you may be able to recover some data if they have a legal case for it.

    You should then act on what they say, but you have something in writing to prevent you being sued by the employee fo

    • Re:How about ... (Score:1, Insightful)

      by Anonymous Coward
      the employee is not the legal owner anymore the company is .

  • check with local lawyer. (Score:4, Insightful)

    by gl4ss ( 559668 ) on Friday January 30, 2004 @07:11AM (#8133330) Homepage Journal
    no other way to check it out.

    geez, why do people have to ask these things from slashdot?? ALL YOU GET IS OPINIONS ON HOW IT SHOULD BE, NOT THE CURRENT STATE OF THE LAWS IN THE COUNTRY YOU'RE IN.

    for example there are countries in which you CAN NOT read employees email legally unless you have explicitly said&informed that you will read it when you gave that account to him/her(or along those lines anyways, and it must have been very clearly said/informed to the person in question that the mail isn't private despite being protected by a password and seeming to be for his/her eyes only, otherwise it's the same as receiving a letter with the employees name at the office, falling under 'letter secrecy'.). same goes for other 'private' material like tracking calls against the will of the employee(even if the business is paying for the line)..

    one of the very good reasons for laws to exist is to make limits on what rights of yours you can give away... businesses don't come before people!

  • In Order of Importance... (Score:3, Insightful)

    by fuzzybunny ( 112938 ) on Friday January 30, 2004 @07:19AM (#8133356) Homepage Journal
    -The law. You should have a lawyer, as a company. Use "it". Law _always_ _always_ _always_ supersedes business arrangements, policies, whatever.
    -Your contractual obligations and anything you've committed yourself to. See #1.

    And you could argue about the following:

    -Your customer's needs, your conscience, your reputation, etc etc etc.

  • Since you're the admin of the server, and the account in question is that of a relative, I propose you filter the email. Look thru the account, remove anything potentially embarassing (perhaps with the knowledge and cooperation of your relative) and turn over any work-related emails to the company.

    There's no reason to divulge personal or private correspondence, but there's also no reason not to turn over work related information. Keep whatever you do quiet, and I suspect you'd be perfectly fine legally as

    • That suggestion does violate the laws of several countries, and is less ethical than allowing the company access, assuming the company supplied the email account. It sounds good on the surface, and it does help prevent the company from receiving personal information, but it does not protect the confidential information of the company.
      • Email is, as we all know, technically insecure. Any company that sends confidential information via email on a server they do not own or admin is asking for trouble. I don't believe it's unethical to know the confidential information, but only to use it. So, in this case, the former employee would presumably already know the confidential information, and the admin can choose to disregard it. In most cases, however, it's quite simple for an admin to filter the email simply by subject and sender name without

  • Dot some Is, cross some Ts (Score:3, Interesting)

    by eclectro ( 227083 ) on Friday January 30, 2004 @08:36AM (#8133660)
    If you were in your relative's shoes, and he was the admin for the company, what would you want him to do for you?

    I think you could think of this another way. Do you think phone conversations should be private?? Would you want the company you worked for taping all your conversations??

    The company could be on a fishing expidition for all you know, looking for a way to get back at your relative.

    Corporate morality is nonexistant in today's world.

    If they owned the computer hardware, then they would have a powerful arguement for owning the emails. But according to your question, _you_ own the hardware.

    If I were an ISP for that company, I would tell them to get a court order. I would do the same if I were playing admin for them.

    I would respond to them in writing/certified mail that you need to protect yourself legally, and request politely that they do things "officially" and get a court order.

    If they decide to no longer use your services and let you go, then you never needed their business in the first place. I would send a letter to them acknowledging the cessation of a business relationship. Then _with out reading the emails_ I would delete them, as there is no longer a business relationship with the company, and you no longer need them for any reason. Don't tell them that in the letter BTW, just do it.

    They could threaten to sue you, in which case you no longer need their business. Call a lawyer. Have him send a certified letter to them explaining that you are immediately severing your business relationship and ask the lawyer how long you should hold on to the emails (I would guess thirty days, if not seven)and then delete them.

    If they deliver a court order, obey it, and hope that you have an honest relative. Have him get a lawyer in any event.

    Above all, keep yourself clean, honest, and do nothing that you will not be afraid to tell about in a court of law later without perjurying yourself.

    I Am Not A Lawyer, and this is not meant as legal advice. Get a lawyer before doing any of this It's just one pal chatting with another about opinions on how to keep your nose clean.

    If the bottom falls out, and everything goes to pot, sue slashdot for letting you ask the question in the first place before telling you to get a lawyer.

  • There are possible good reasons for this... (Score:2, Insightful)

    by Anonymous Coward
    Most significantly, if the account was used for external business contacts, they'l like to continue the contacts, handle any incoming e-mail, etc.

    Really, it bouls down to how you see your "customers". Is it primarily the company, or primarily the individuals?

    I might forward any unread mail and set up a permanent future forwarding, but not provide the password to the mail account itself, so the company can't pretend that Mr.X is stll working there, but others can see that Ms.Y is taking over.

    Alternativel

  • Only in America? (Score:4, Interesting)

    by E_elven ( 600520 ) on Friday January 30, 2004 @09:41AM (#8133982) Journal
    Looks like the courts in Finland just upheld a legislation barring an employer from reading employee e-mails. Couldn't find an announcement in English, nor are the translation tools too good, so you'll have to take my word for it. So they're faring well.

    • Looks like the courts in Finland just upheld a legislation barring an employer from reading employee e-mails. Couldn't find an announcement in English, nor are the translation tools too good, so you'll have to take my word for it.

      Interesting. Wonder if this law is consistent with the treatment of e-mail in other parts of their legal system? For example, in the US, e-mails have the status of written communication and are "discoverable" during lawsuits. Testimony that you said "Cheat them out of $100M"

    • In Finland the basic rule is that if the mail is sent to john.smith@company.com, then only John Smith is allowed to read it and it's considered strictly personal unless a previously written contract says otherwise. However, if the mail address is support@company.com or something else that doesn't specify a single person but a function instead, then the employer is allowed to read the mail by default. If you, as a sender, are trying to contact customer support and send mail to somebody's personal address and

  • Think of Future Implications... (Score:4, Insightful)

    by TheWanderingHermit ( 513872 ) on Friday January 30, 2004 @10:34AM (#8134416)
    1) Whatever you do will set a precedent, so keep that in mind. Saying "No" seems to your benefit, since saying "Yes" could set a pattern and they could expect more in the future.

    2) Have you actually told them you still have the data? If so, this may not have been wise. As long as they don't know if the data still exists, they can push for it. If they don't know, they're reaching in the dark. This may be a good reason to start a policy of deleting accounts whenever you've received notice an employee is fired or whenever a client stops taking your services.

    3) Get a lawyer. Why? This WILL be a precedent, if not for others, for this company. If they get what they want now, they may start asking to check everyone's email account and, eventually, they might go so far as to expect you to provide them with access to all accounts. You need to find out if you have a right to refuse the request. The best news that you could get would be a lawyer telling you that you either a) don't have to provide the data, or b) are not allowed to provide the data.

    4) As said above (2 times), this will set a precedent, no matter what. In my experience, whenever someone asks for a special service, that isn't the end. It's not long before they ask for a repeat, and, once they've broken down that boundary, they ask for more and more. If you do decide to provide them access, or you find out you have to give them access, if possible you SHOULD charge for the service. Otherwise, they won't see this as as an item with value. By charging, you are setting a limit and taking steps to make sure they don't just keep asking for and expecting you to do more and more for them.
    • You are assuming that the employer intends to infringe on their privacy. As post above states, you don't know their privacy policy, and it is standard today for companies to let their employees know that their e-mail can be monitored. Furthermore, if they are the ones paying for it, then it is their property, and if they abuse it then it is their fault.

      As a postmaster you have no right to withhold the information. It doens't matter that they may ask for complete control over e-mail in the future. It's
      • If it is illegal, then it's the employers fault.

        When I was a teenager, I rode my bike everywhere (I still do, quite often, I prefer it to a car). My Mother kept telling me (since I was so cocky) that I could be "dead right." In other words, it didn't matter if I had a right of way, if a car didn't stop, I could still be dead.

        The employer may, as you say, have the right to access the info. And, if it is illegal, it may very well be their fault. But that doesn't mean the person who's e-mail is being ex
        • Good point, chalk up another reason to get a lawyer and have the employer indemnify him against any suit that may be brought up. If he doesn't give the e-mail, the employer may well sue because it's more their data than his. I think the chance of this is much greater than a 3rd party suing him for release private information.

          Thus: get a lawyer, they may suck sometimes, but they are good to cover your ass.
  • Where does the independent hoster look for guidance on something such as this?

    Not Slashdot, hopefully. *My* advice to you is, talk to your lawyer before proceeding.

    You probably have a contract with the company that your are providing hosting for, not the employee. But you (and your lawyer) will probably need to go over your TOS before granting or refusing access.

    When you are a small provider, word of mouth counts for a lot. And getting on your customer's bad side will probably cost you.

    Once again, t
  • IANAL and I am not familiar with US Law but in Europe and in Germany there is something called the Datenshutzgesetz (Data Protection Law) which prevents a business from accessing any such info without permission. It is also illegal to check the URL's that staff browsed and so on.

    Basically digging through mail is considered the same as placing a wiretap on his phone: A definite no-no.

    What we here do is to ask our new employees to sign a document that we make a copy of all mail that comes in to their accou

  • Conflicting answers (Score:4, Informative)

    by redelm ( 54142 ) on Friday January 30, 2004 @11:28AM (#8134951) Homepage
    You will get conflicting answers because the expectations and understanding in this area is still evolving.

    Traditional UNIX sysadmin ethics prohibit snooping in email for any reason. Snooping files and traffic is similarly verboten, except debateably (ulimit) in the case of excessive resource usage. This was done to increase user confidence and frank discussions in electronic media.

    Current capitalist thinking is whoever pays, owns. This is pushed because email has proven to be very popular, frank and valuable. A victim of it's own success.

    Personally, I did snoop in my wife's email. That's why she's now my ex. Neither qualms nor regrets.

    • Personally, I did snoop in my wife's email. That's why she's now my ex. Neither qualms nor regrets.

      There's a story waiting to be told.
      In my case, my wife and I sometimes read email over eachothers' shoulders.
      We know each other's passwords and nothing is hidden.
      I'm guessing that whatever you read while snooping her email would have lead to a split eventually anyway - snooping just made you discover sooner rather than later.
      Sorry dude - I hope you find someone better.

  • Does that company now have access to the email even though there is no written contract nor technology use policy?

    That was your first mistake. Your second was in not running to a lawyer the instant you got the request. Without something on paper, you're now at risk of legal action no matter what you do or don't do. Get off Slashdot and go talk to someone who knows business law!

    And hopefully, your third mistake will NOT be hosting another company's mail or whatever without a written agreement and AUP.

    T

  • Chances are good that... (Score:3, Informative)

    by stienman ( 51024 ) <adavis@@@ubasics...com> on Friday January 30, 2004 @11:49AM (#8135152) Homepage Journal
    I imagine the only reason you know about this is because you haven't given them direct access to set up and delete email accounts, or to change the passwords on them. Here is my advice:

    If the email is addressed to their registered domain, then they own the email.

    If the email is addressed to your registered domain, then who owns the email depends on the agreement you had with them. If you did not have a written agreement which discloses ownership of email sent to the addresses the agreement is written for then run don't walk, directly to your lawyer. At this point it becomes a you said/they said type of issue.

    You could simply tell them what your policy is after the fact, and follow through with your new 'policy' but if you favor your relative they may sue you, if you favor them your relative may sue you, so at this point it's best to stop and get advice from someone who can represent you if their advice goes awry.

    Lastly, send out a new terms of service to all current 'customers' explicitly stating your terms of service. Tell them that if after 30 days they are still hosting with you then that act shows they agree to the new terms of service.

    In the company I work for I regularily forward email accounts to the employee who is either taking over the old position or the employee who is handling most of the added workload. The simple fact is that a lot of work-related (and contract work at that) email is always in the pipeline, and a customer is not going to take, "We fired the employee and deleted their email for privacy" as an excuse for why we didn't respond to their request in a timely manner. Our employees understand this when they come and when they go. This forwarding is only active for a month or so, and we prevent any outgoing emails from being created in that person's name from our mailserver.

    -Adam

  • Who paid? (Score:3, Informative)

    by jmlyle ( 512574 ) on Friday January 30, 2004 @11:59AM (#8135257) Homepage
    That's really what it comes down to, I think. Whoever arranged for the service to be provoided to the employee and paid for it (or managed the relationship, if the service was free), is the owner of the data.

    I really don't like it either, but a couple of times I have been required to provide people's email to my boss, including a Vice-President. I had to do a little bit of soul searcing on that, but not a whole lot.

    Then I was, at another point, asked if I could archive all incoming and outgoing mail. I made a half-hearted effort, and eventually reported back that it wasn't possible. It was an ugly time all around in those days. At least I kept my job after 90% of the employees were layed off.

    But then again, none of these people were my relatives. I hated them all.
    • Then I was, at another point, asked if I could archive all incoming and outgoing mail. I made a half-hearted effort, and eventually reported back that it wasn't possible. It was an ugly time all around in those days. At least I kept my job after 90% of the employees were layed off.

      Note that in certain industries, this is federal law. Financial houses, for example, must archive all communications.

  • Wait... (Score:3, Informative)

    by pbrammer ( 526214 ) on Friday January 30, 2004 @11:59AM (#8135262)
    You simply wait for a court order. That's how things work. Don't hand anything over without a court order. Simple.

    If they don't have a contract with you stating that their e-mails on your system are their property, then you don't have to give them anything -- unless some court feels you need to.

    Phil

  • Too late (Score:3, Informative)

    by RMH101 ( 636144 ) on Friday January 30, 2004 @12:01PM (#8135282)
    "there is no written contract nor technology use policy?"

    That's you screwed then. Don't do *anything* without your line management putting it in writing. You'd be opening yourself up to all sorts of legal nasties. In the EU, it's very thorny: despite AUPs to the contrary, people have still been charged for infringing the HRI by reading others email. Even if the AUP covers it mind: and also bear in mind any email that account's recieved from other people. They didn't sign any policy and so could argue that you've infringed their privacy.
    All this is closing the door after the horse has bolted: get a formal ToS written now by a lawyer, get everyone to sign it, and tread carefully.

  • You have a conflict of interest (Score:4, Insightful)

    by JohnQPublic ( 158027 ) on Friday January 30, 2004 @12:07PM (#8135329)

    Fourth, it's my relative's account.

    Even if for no other reason, you need to stand back and look at what you've done in the past. As a business providing a service for a fee, your company must treat this user's email the same as every other's. You're opening the company up for a justifiable lawsuit from the employer if you don't. Not only that, but you're establishing a precedent you'll have to follow in all future encounters with this employer and probably all others.

    If you have no policies or past precedents to follow, you need to forget that this person is your relative and ask what you'd do with any other user. Then do the same. Your company may still get sued for making the wrong choice, but you'll eliminate the conflict of interest problem. Just make sure you immediate document this new policy, at least internally, and follow it in the future.

    Even better, if you're not just a one-person company, recuse yourself. Give the employer's request to someone else to handle, and make it clear to that person that you have a conflict of interest and that they have the full authority to make whatever decision is consistent with past practice (and failing that, company philosophy and goals) without fear of reprisals. In writing, if possible.

  • Since e-mail server isn't company property the standard justification for violating/having no employee privacy isn't there!

    Further if there was no specific provision in the "lease/service contract" there is probably no extension of it to the server. This might even hold for "IP" rights of what on the server.

    IANAL. Talk to lawyer about this.

  • ACM Code of Ethics (Score:4, Insightful)

    by drivers ( 45076 ) on Friday January 30, 2004 @01:39PM (#8136401)
    As an ACM member I will ...
    1.1 Contribute to society and human well-being.
    1.2 Avoid harm to others.
    1.3 Be honest and trustworthy.
    1.4 Be fair and take action not to discriminate.
    1.5 Honor property rights including copyrights and patents.
    1.6 Give proper credit for intellectual property.
    1.7 Respect the privacy of others.
    1.8 Honor confidentiality.


    Sounds like you should not turn over the email. I wouldn't.

  • I bet you're not an Experienced SysAdmin... (Score:2, Funny)

    by Anonymous Coward
    If you were, then what to do would be obvious:

    1) Open your relative's email account, scan through his email.

    2) Save off all the stuff you can embarrass him with at family get-togethers. Make special note of such terms as "snookums" and "little homer" or whatnot.

    3) Find anything illegal and make an encrypted copy. Accidently lose those backup tapes. Not that you are going to blackmail your relative, but you might be able to get some moral compensation for your time and effort by spoofing email from your r
  • Are you American? Canadian? European? Russian? It matters so much for this type of question.
  • I have a question for the story poster. The whole scenario seems sketchy to me to begin with. The odds of this exact mailbox meeting this exact series of events is very unlikely. Did you get the hosting contract based on the relative's connection to the company? If you did, welcome to conflict of interest! You have entered a convoluted world of nepotism and insider backroom deals. Anything you write down can and will be used against you since its only a matter of time until you do something illegal.
  • So there's an easier way out of this. Tell whoever's asking that the mailbox is empty. Read the email yourself for curiosity's sake, delete it with a secure over-write, and be done with it.

    Why wrestle with the morality of the situation when you aren't even qualified to do so, and might put yourself in legal trouble by cooperating in case this employee sues your ass off in court?

    Better not to get involved. Don't waste your time.
  • OK, today we get so bogged down in the technological aspect that the obvious can get away from us. Here's my point:

    Mr. Former Employee
    C/O Old Employer Co.
    123 Industrial Way
    Anytown, NJ 12345-6789

    IANAL so I don't know the answer to this question: Who is legally allowed to open this envelope? I know I've seen bosses open the mail of departed former employees, look at it and say, "OK, I know what to do with this," and walk off, but the legality of such actions never crossed my mind. Find out the answer

  • You could tell them that there is no way to get at the data without the password.
    It they want the data they have to get the password from the employee. It they want to go to court, they should go to court to get the employee to give them the password.
    You could even change the e-mail system so that it indeed encrypts the accounts with the password, and avoid problems in the future.
  • The company and the ex-employee both want something from you. The company want information, the ex-employee want you not to pass on that information. You, therefore, hold the balance of power.

    Proper etiquette in this situation is to back up the data onto a CD-R, make a second copy, and place each in a separate safe deposit box in the same city. You should then e-mail each party independently, telling them that you have the information stored on a CD-R, and it is in a safe deposit box at ..... [differen
  • I'd say it's his mail.

    A lot of people, I noticed, are saying that the box belongs to the company, but the box is not the same as the mail. If I agreed to put my diamond in your safe, does that mean the diamond belongs to you? I certainly hope not!

    If there were a contract stating that all mail stored in the box belonged to the company, that would be different. But there is no contract!

  • Read the ECPA - this is covered (Score:4, Informative)

    by Animats ( 122034 ) on Sunday February 01, 2004 @02:29PM (#8151935) Homepage
    Read the Electronic Communications Privacy Act [usiia.org]. This may raise some questions, but sending a copy of this section of the ECPA back to the company is likely to result in some serious thinking about the issue. The ECPA only allows disclosure to the "addressee or intended recipient", or the "subscriber, in the case of remote computing service". Who's the subscriber here?

    Clearly, though, you can obtain consent from the original addressee and then disclose.

  • My employee handbook is explicitly clear that anything I post or transmit through any company-managed infrastructure is the company's property. I have no rights of privacy to any of it. This simplifies things greatly, as anything I send or read through the company mail server, whether we host it or not, is already explicitly company property.

    Before anybody reacts that this seems awfully fascist or intrusive, I want to say that it provides me a real sense of security to know exactly where my boundaries ar

Slashdot Top Deals

Our OS who art in CPU, UNIX be thy name. Thy programs run, thy syscalls done, In kernel as it is in user!

Close