1996-08-04 - Re: Corporate e-mail policy

Header Data

From: Rabid Wombat <wombat@mcfeely.bsfs.org>
To: ichudov@algebra.com
Message Hash: dd618f5df383cf7b6b884cf329138042add372c6955634f9d98c370d0bbbe4b3
Message ID: <Pine.BSF.3.91.960803230601.6988E-100000@mcfeely.bsfs.org>
Reply To: <199608022351.SAA14955@manifold.algebra.com>
UTC Datetime: 1996-08-04 00:57:19 UTC
Raw Date: Sun, 4 Aug 1996 08:57:19 +0800

Raw message

From: Rabid Wombat <wombat@mcfeely.bsfs.org>
Date: Sun, 4 Aug 1996 08:57:19 +0800
To: ichudov@algebra.com
Subject: Re: Corporate e-mail policy
In-Reply-To: <199608022351.SAA14955@manifold.algebra.com>
Message-ID: <Pine.BSF.3.91.960803230601.6988E-100000@mcfeely.bsfs.org>
MIME-Version: 1.0
Content-Type: text/plain



On Fri, 2 Aug 1996 ichudov@algebra.com wrote:

> George Kuzmowycz wrote:
> >   In an ideal world, the rest of the group would agree with me and say
> > "Yup, we have no business reading e-mail." Since that's not likely,
> > I'm looking for examples of "privacy-friendly" corporate policies
> > that I can put on the table in our meetings, and end up with a
> > minority report.  
> > 
> 
> Maybe it is only me, but I recommend "privacy-fascist" policy. This way
> employees will at least know to keep their own business out of computers
> that will be monitored by the company anyways.
> 

I think you need to take the "fascist" approach, at least officially. I 
would hope that, unofficially, you don't monitor, eavesdrop, etc., unless 
a problem requires you to. (such as receiving email from another site 
that attacks have been detected, originating from your systems, etc.)

If you don't take the "fascist" approach, you are granting employees a
"reasonable expectation of privacy", which you cannot, in truth, provide 
(without spending a lot of additional money). Once you've put your 
company in this position, you've now set them up for an employee to have 
their "privacy" violated, so you've increased the company's risk. The 
benefits of running a "privacy friendly" corporate system just don't 
outweigh the costs and risks.

If somebody wants to read alt.sex.whatever-floats-their-boat, I really
don't care, but I don't want to be in the position of ensuring their
privacy while doing so on corporate equipment; they can get their own 'net
account and play at home. 

I prefer to put out an official "fascist sysadmin's system use policy", 
and then leave users to themselves, as long as I don't get any complaints 
of illegal activity that could land my company in hot water. What you 
publish as a use policy, and what you actively enforce do not have to be 
the same.

Just my $.02.





Thread