From: Rick Smith <smith@sctc.com>
Date: Sat, 3 Aug 1996 08:53:52 +0800
To: gkuzmo@ix.netcom.com (George Kuzmowycz)
Subject: Re: Corporate e-mail policy
Message-ID: <199608022151.QAA02114@shade.sctc.com>
MIME-Version: 1.0
Content-Type: text/plain


George Kuzmowycz wrote:

:   The company I work for has set up a committee to draft a security 
: policy involving, among other things, e-mail. Since I'm responsible 
: for our networking and e-mail, I'm part of this group. Unfortunately, 
: I'm outnumbered by legal, auditing and HR types who, basically, want 
: to have access to everything.

First, figure out what *your* objective is. You can't achieve e-mail
privacy by implementing some idealized policy that says "Our company
won't snoop into e-mail."  It is the obligation of corporate
functionaries to act in the corporation's best interest, and if that
includes violating the privacy policy (as opposed to civil or criminal
statutes) then it's going to happen. If you write it into one policy,
they'll just find a different one that they can apply to override it.

As you pointed out, the courts agree with this interpretation.  Let us
focus on what we *can* fix.

You can make things better if you write the policy to reduce the risk
of abuse. Nip this nonsense about "access to everything" in the bud.
For example, the policy could provide oversight by requiring approvals
from affected people (the victim's manager if not the actual victim).
Then, access is granted to the victim's files and not to all the
files. Even if auditors want to do "random audit" of e-mail, they
don't really need "access to everything" to achieve it.  They can
randomly select messages somehow and only get readable copies after
the messages are selected.

You'd probably find lots of support for a more measured policy like
this. For example, mail from the CEO or the head of the Audit
department shouldn't be an open book just because Joe Blow from Audit
is "auditing e-mail today."

Also, your policymakers might think about the issues raised by the
recent skit, "FBI Files on Republicans Stored in the Democratic White
House." If they demand unlimited access to e-mail files, they might be
held responsible for making use of information contained therein
simply because they *could* have read them.

Rick.
smith@sctc.com         secure computing corporation