Not for your eyes only

The network has many faces, and not all of them are pretty.

E-mail has quickly become a mission-critical tool, but it is also an entry point for vandals intent on wreaking havoc, and a convenient tool for rogue employees trading in company secrets. E-mail systems and the Internet are also potential playgrounds for employees who may not be putting in a full day’s work and who may be tying up an already-limited resource with unnecessary traffic.

Some companies fear that the network which allows their employees to share and exchange information may have a dark side, and in response they are determined to shine a light into those shadows.

Increasingly, companies are turning to e-mail monitoring systems to keep track of what is passing through their networks. But everyone is monitored when companies search for those few who may be abusing the e-mail system, and some believe employers may be violating their employees’ right to privacy.

Keeping an eye out

Almost a third of companies worldwide are already monitoring e-mail messages, according to Jonathan Penn, a senior industry analyst at Giga Information Group Inc. in Santa Clara, Calif.

Chanel Inc. in Piscataway, N.J. is one such company. It currently uses a legacy e-mail system, Lotus’ cc:Mail, and each post office has a capacity of only 2GB, explained Pat Dillon, the systems support manager at Chanel. The company’s e-mail policy prohibits employees from receiving non-work related movie files, songs and pictures. All employees most sign the policy in order to receive e-mail access.

“The space we have is so limited. If our space gets filled, then this leads to downtime,” Dillon said. “When you have a cc:Mail database that goes out to lunch, you might be looking at a day’s worth of downtime – sometimes more. We had one that took us all day to restore, and [some employees] were without mail for about a day and a half. Obviously, that’s extremely unproductive, so we definitely need to prevent that from happening.”

The company is in the process of migrating to Notes, but for now keeping a diligent eye on the e-mail messages employees are sending helps ensure the e-mail system doesn’t go down.

And it’s been working, according to Dillon. When users misuse the e-mail system, Chanel will send them a message reminding them that they signed an e-mail policy, and this is generally enough to put a stop to large inappropriate usage, Dillon said.

watch your language

But Chanel, which uses Burlington, Mass.-based Elron Software’s Message Inspector, has other concerns as well. The system is also set up to check for e-mail messages containing offensive language.

“The company can be held liable if we create a hostile work environment,” Dillon said.

Message Inspector technology is based on computational linguistics and is designed to search for the context in which words are used. And this might come in handy, because, according to Cindy Levin, a product manager at Elron, two out of ten employees will admit to receiving adult-related e-mail.

“[Message Inspector is] much more than a simple keyword string search, which is what you find in most products. Most products you just identify what strings you’re looking for and then using basic word search techniques, they search through your message and they search for your string,” Levin said.

Elron’s software can also be used to check for words that may indicate an employee is sending out company secrets, she said.

But most of the messages that are flagged at Chanel, which checks all correspondence for racial or sexual content, actually turn out to be business related, Dillon said. He doesn’t feel he’s violating anyone’s privacy when he opens what turns out to be an innocent message.

“You don’t usually have to read the whole message. You just look for the words that were flagged, and usually they jump out and bite you, so, usually, before you finish reading the whole sentence, you’ve already determined whether it’s business related or not.

“I don’t even usually look at who sent it, I just usually look at the content first before I decide that I can go further with it than that. Because you know what? It’s a time thing. I don’t have a lot of time to spend policing the network.”

But as far as Brian Stewart, a strategic privacy advisor at the Office of the Privacy Commissioner of Canada in Ottawa, is concerned, companies that monitor e-mail messages using anti-discrimination concerns as a justification are violating one right in order to protect another.

“It removes privacy rights in order to enforce anti-discrimination rights,” Stewart said. He adds that he doesn’t know of a case where the human rights commission has criticized an employer for failing to block pornographic material from being viewed or sent over the Internet.

But for now there is no legislation governing e-mail monitoring, so until there is it is up to the courts to decide on the legal parameters.

Under the Criminal Code of Canada, it’s illegal to listen in on a telephone conversation without the consent of at least one party to the conversation. This law also applies to employers with respect to their employees, even though they own the telephone system on which the conversation takes place. This last is a favourite justification for companies which monitor e-mail.

It remains to be seen whether e-mail messages will be treated like telephone conversations, Stewart said.

According to lawyer Craig Flood, a partner at Koskie Minsky in Toronto, “it’s pretty clear that just because you own the communication system and own the software, that doesn’t necessarily mean that you have an untrammelled right to intercept e-mail. The employer owns the telephone system and pays for the telephone service but that doesn’t mean that they can randomly pick up (telephone) calls.”

But the law remains open to interpretation.

“Until the federal and provincial government come in and legislate e-mail and Internet usage, [the telephone] analogy won’t apply,” argues Greg McGinnis, a lawyer at Toronto firm Stringer Brisbin Humphery who councils companies putting in monitoring systems.

this is a warning

Everyone agrees that any employer considering an e-mail monitoring system is better off warning its employees.

Employees have a reasonable expectation to the right of privacy, said the Privacy Commissioner’s Stewart. But, he added, “there is widespread thinking that you lose the reasonable expectation of privacy when you’re notified that you don’t have any.”

This is an argument Stewart criticizes. “This office has taken the position that privacy is a right, and that privacy is a fundamental right, and it shouldn’t be so easily wiped out. We certainly couldn’t do the same things with other fundamental rights,” Stewart said. No employer could take away an employee’s right to be free from discrimination just by telling the employee that at this office the employer discriminates.

“Where there is reason to believe that somebody is abusing the system, then there is something of a justification for monitoring. But to sweep everybody in – to monitor people indiscriminately – to treat everybody as a suspect, is really over-stepping the bounds,” Stewart said.

guilty until proven innocent

But an employee at one Toronto food services firm, who did not want to be identified, found that most of the company’s employees misuse e-mail and Internet privileges.

The company uses Topsfield, Mass.-based MicroData Group Inc.’s MELIA monitoring system, and employees have to sign an e-mail policy, said the senior technical analyst.

“What usually happens is every new user that arrives in our office, every person that gets hired, they are usually people that hit the top 10 list of sending and receiving material which is not appropriate according to our conduct. So in almost every case, even though they are given the code of conduct document and they sign it, they get a notification that they’ve abused the e-mail privileges or the Web surfing privileges. After this (notification), that usually goes away,” the technical analyst said.

The company checks for spam, jokes and messages with MPEG or JPEG file attachments. And although it’s not anti-virus software, MELIA, which sits on top of Microsoft Exchange, can also catch virus-carrying vbs. files, said MicroData president Paul Parisi.

MELIA has helped the food services company save money, the technical analyst said.

“Our big boss does not feel that fixing the problem [should involve] throwing money at it. I could simply add a much larger connection for Internet mail, and our problems would be solved. That would just means higher costs for us,” he said.

Employers have a right to know what their employees are doing during business hours, the food services company believes.

“What people do at home, it’s their business and nobody will ever question this, but what they do in our office, how they use our equipment and what they send out to other people it is company business at that point. Abuses are not looked at lightly,” he said.

The company doesn’t want employees sending out jokes over the Internet with an e-mail address that contains the company’s domain name.

“This is bad publicity.”

If an employee who has been warned several time continues to receive too many personal messages, e-mail with MPEG or JPEG attachments and jokes, then that employee is cut off from e-mail privileges.

“We’ve had to remove e-mail privileges,” the technical analyst said. “Would you not expect somebody who comes to work and gets paid for the time to actually work, as opposed to play?”

He adds that there was no backlash from employees when the monitoring system was introduced.

Employees at Chanel Inc. also understood, according to Dillon.

“I think that the prevention of the downtime outweighs [having] employees who are unhappy that we’re monitoring their mail. We just can’t afford the downtime,” he added.

One Toronto marketing professional, whose company monitors employee e-mail messages, says she can see both sides of the issue. She asked not to be identified.

“I’m kind of mixed about it,” she said.

“If it was my company, I would want to know if people were wasting time,” but she also feels that she puts in enough overtime that the few minutes spent sending an occasional message to a friend is more than justified.

What concerns her most about her company’s policy is that it has not been made clear exactly what is being monitored.

“I would rather know the full extent of what they’re checking for,” she said. “It kind of makes you think, okay, what’s next?”

But, she adds, the tech person whose job it is to police the network covertly warns employees when the company is about to do an intensive scan, and most problems are therefore averted.