E-mail Privacy

Craig Burley burley at albert.gnu.ai.mit.edu
Thu May 23 16:07:34 AEST 1991 

In article <15110 at ccncsu.ColoState.EDU> conca at handel.cs.colostate.edu (michael vincen conca) writes:

   Aproximately 1 month ago, a certain employee was advised that he/she was
   was acting in an inappropriate manner and that they needed to make 
   certain adjustments in their attitude.  A meeting was held between the head
   manager and this employee in which the above issue was discussed.  All of
   this was summarized in a memo which was E-mailed to the employee.

   Yesterday, this employee was terminated.  He/she was allowed to gather
   their things and purge all of their personal files from the system.  Today,
   my boss asked if it would be possible to retrieve this employee's E-mail
   off of backup, find the memo, and print it out in case it was needed as 
   evidence in a possible court case.

   Now for the tough questions.
	   Is this legal?  Is this ethical?  If this person still worked
   here, I would immediately refuse.  But since they don't, do they still
   have any rights to their E-mail?  Right now, I am leaning towards refusing
   because I think a person's E-mail is theirs, regardless of their status
   with the organization.  Anyone have any other opinions on this?

If the manager cc'ed himself or even kept a copy of the email he sent the
employee, he could certainly keep that copy for a possible court case.  Of
course, the cc'ed version would be "better", but since any and all of this
could be easily forged in a text editor, I don't think it matters much.

I question the wisdom of using email for this kind of task anyway.  Anyone
using email should assume:

    -  It is not secure

    -  Anything sent from one individual to another, no matter how private,
       can be read and even rewritten, prior to delivery, by a cracker

    -  Anything a cracker can read, a cracker can email to someone else or
       post in a newsgroup

Once when doing some maintenance on the email system at Prime, I came across
a fairly sensitive personal email (regarding employee performance) from a
director or VP in engineering, so I had a talk with him about email security
and as I recall he sent a memo out saying what I am about to say:

    -  Unless you're willing to risk the message not getting through, being
       willfully changed by another person, and/or being publicized,

           PRINT A MEMO ON PAPER, VERIFY IT YOURSELF (VISUALLY) (or your
           trusted secretary can do this, of course), AND DELIVER THAT PIECE
           OF PAPER, NOT AN ELECTRONIC VERSION!

    -  Once you've printed such a memo via a computer, immediately delete the
       online version.  Something that sensitive shouldn't be online unless
       you've got a super-secure system, and even then, why take the risk when
       retyping it, even if necessary, is so trivially easy?

IF this matter had been handled via memo, especially on letterhead, instead of
via email, it would be a lot more difficult for an employee to successfully
argue in court that he or she never received it.

And, to look at things from another point of view, you don't want to find out
that an employee you just fired for not following through on your email'ed
command indeed did NOT receive the email because the mailer was in a bad mood
that day!

In summary, to take an extreme but fairly wise viewpoint:

    YOUR COMPUTER SYSTEM IS LIKE A FANCY BULLETIN BOARD.  ELECTRONIC MAIL
    IS LIKE POSTINGS ON THE BOARD WITH THE RECIPIENT'S NAME ON AN OTHERWISE
    BLANK SHEET ON TOP.  IF YOU WOULDN'T COMMUNICATE WITH SOMEONE ON A TOPIC
    VIA SUCH A TECHNIQUE, then DON'T RELY ON A COMPUTER.

(I.e. the recipient might never see it; someone else, even everyone else,
might read it; someone might change it before the recipient sees it; the
recipient might read it and pretend to never have seen it; etc.)

This extreme viewpoint is probably best for those in management who are
unacquainted with computers and unlikely to even notice if their accounts,
email boxes, etc have been tampered with.  (Basically, anyone who might
respond to an email message purporting to be from "Your System Administrator"
saying "For security reasons, please change your password to XYZZY" by
doing it!)
--

James Craig Burley, Software Craftsperson    burley at gnu.ai.mit.edu

More information about the Comp.unix.admin mailing list