From: "George Kuzmowycz" <gkuzmo@ix.netcom.com>
Date: Sat, 3 Aug 1996 03:10:13 +0800
To: cypherpunks@toad.com
Subject: Corporate e-mail policy
Message-ID: <199608021611.JAA13044@dfw-ix10.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


  The company I work for has set up a committee to draft a security 
policy involving, among other things, e-mail. Since I'm responsible 
for our networking and e-mail, I'm part of this group. Unfortunately, 
I'm outnumbered by legal, auditing and HR types who, basically, want 
to have access to everything.

  I am aware that there's a line of thinking which holds that what you
do or say on company time, using company equipment is the company's
business. I do not subscribe to this line of thinking, and believe
that employees expect a "zone of privacy" in which their telephone
calls will not be listened to and their e-mail will not be read or
monitored. I am also aware that recent court cases have not
supported this "zone of privacy" and have pretty much held that the
employer can do whatever it wants with e-mail. 

  What I want out of this process is to keep myself and my staff out 
of this business. As a practical matter, I'm sure the company could 
bring in a hired gun to do whatever they want; since our e-mail 
system does not easily support strong crypto, it's all there for the 
taking.

  In an ideal world, the rest of the group would agree with me and say
"Yup, we have no business reading e-mail." Since that's not likely,
I'm looking for examples of "privacy-friendly" corporate policies
that I can put on the table in our meetings, and end up with a
minority report.  

        -gk-