General discussion

  • Creator
  • #2291817

    It is ethical to look at the users email?


    by jgtez ·

    Hi, If I’m the manager of the mail server, it is ethical to look at the users email to detect porno or content that can damage the bussines?


All Comments

  • Author
    • #3297279

      you could but…

      by mschan ·

      In reply to It is ethical to look at the users email?

      … do so according to the guideline listed in the company policy.

      • #3312404

        Reply To: It is ethical to look at the users email?

        by adam.chen ·

        In reply to you could but…

        Before that, make your guys be aware of
        1. Company resources should be used for business only.
        2. Any activity might be monitored while using company resources.
        3. You are authorized by the company.
        Then, there should be no private stuff expected online. You are monitoring company’s communication.

    • #3297275


      by jamesrl ·

      In reply to It is ethical to look at the users email?

      Without involving anyone else or getting official permission, then no its not ethical.

      You should work with your HR Department, and Senior IT management to establish policies and monitoringguidelines. You might need to communicate to employees letting them know that their communications may be monitored – and better yet, get them to sign that they have read the policy.

      Once you have clear communicated policies and guidelines, then go ahead. I would suggest that this is better done with a tool than by hand. There are tools available which will block file types, and scan content for specific words – on both incoming and outgoing mail.


      • #3297257

        Is there a policy established by a competent authority?

        by jgtez ·

        In reply to Process

        Is there a policy on the web or in document, established by a competent authority or a opinion leader in the subject?

        • #3295112

          Maybe but

          by jamesrl ·

          In reply to Is there a policy established by a competent authority?

          In reality, every company is different. You will have to craft your own based on inputs from senior management and HR.

          You have to establish: what the expectations of privacy are, who will be allowed to monitor emails, what circumstances will trigger an investigation, who needs to initiate investigations, and most importantly – who is responsible for any enforcement of policies (make HR do it).


        • #3313372
          Avatar photo

          TR should have a “White Paper”

          by hal 9000 ·

          In reply to Is there a policy established by a competent authority?

          That could act as a guide line for setting up what basically is a contract between the business and workers.

          However the final product will need to be vetted by the companies Lawyers just to cover the companies and the IT workers backsides.

          This should already be in place as every company should have a set of rules covering e-mail and phone calls. Not only does the hardware belong to the company but while the workers are supposed to be working and are actually spending time either on line or on the phone it is costing the company money in both web time phone calls and wages that are not earned.

          Most companies have a set of rules in place and are flexible in terms of what is acceptable but any form of abuse has to be jumped on immediately.

          Also depending on the company the workers could be sending leads to other business and gaining financial advantage from these leads.


      • #3294848

        I Agree Totally

        by debon ·

        In reply to Process

        I agree with James. There needs to be a clearly defined policy that is circulated to staff (i.e. and preferrably signed by ALL staff as having been read). This policy should state among other things that ….staff are to have absolutely no expectation of privacy for any data, information or any representation thereof, that is contained in or stored on, hard disk, floppy disk, tape or any other media type whether printed or otherwise, purchased by the company or present on company property…… It may also state what sanctions can be brought against anyone found in violation of the policy and may also name the position whose job it will be to enforce the sanctions. It is necessary to have it reviewed by the legal department to ensure it is enforcible and that it protects the Company and whoever is responsible for enforcing the policy.

    • #3297261

      Just flag it

      by oz_media ·

      In reply to It is ethical to look at the users email?

      get a spam protection that allows you to flag specific keywords or addresses.

      IE: Any mail from my clients server is scanned and keywords such as ‘resume’, ‘hiring’ etc are flagged. the message is then forwardd to either myself or the owner (depending on the keyword flagged). also it scans attachments for the same keywords, such as RESUME, ad many sexual terms used in jpegs etc. to ensure it is captured before leavig the ofice.

      the compnay mail system is NOT private mail for employees, it is completely acceptable for the owner and provider of the system to review ALL mail set through it, especially while the employer is paying for the persons time.

      mail at work is NOT private, is is NOT petrsonal, it is owned BY the company and anything sent through or recieved into it is also the property of the company to read or delete as it deems neccessary.

    • #3295053

      Because you think you should…

      by mlayton ·

      In reply to It is ethical to look at the users email?

      …does not make it ok. Furthermore, if you are singling out an employee instead of across-the-board monitoring, other issues may arise. Look to HR and Legal to ensure there is a policy in place. If you are a small shop (no HR and Legal) then use SANS and a couple of other online resources, or books to draft a policy, make a case for it with the boss, and have his legal rep look at it and ok and then communicate it to the employees (in some cases, this may involve employees signing that they understand the policy) before doing anything. Anything not OKd by upper management, or done contrary to policies or the governing laws in your area, can get you in hot water.

      • #3294830

        Fine line between snoop/monitor

        by jpenajr9 ·

        In reply to Because you think you should…

        Do NOT allow yourself to be placed in a situation of being labeled a snoop.

        I agree with all that COMPANY Email systems belong to the company and are/is provided for official COMPANY business. ALL contents of the system are COMPANY property. Just as it is proper for the COMPANY to inspect/monitor the use of other COMPANY property, it is reasonable for the COMPANY to inspect/monitor THIS company property just like ALL the other COMPANY property.

        But a COMPANY can only DO what is detailed in written policy and, in the absence of specific policy, can only DO what is considered standard practice in the industry (use SANS for instance). If your situation is ambiguous for lack of specific written company policy, write one that meets generally accepted industry standards and get it APPROVED by the Board of Directors or someone else with authority to approve policy.

        Then….have all your users understand what is in the policy and sign a document that they DO understand. You will have the opposing view that private Email is private Email. Do NOT agree to this…

        My policy states that a reasonable amount of non-company related Email is allowed but that, in spite of this, all content is STILL the property of the company. IN my policy I state/inform that there are MANY companies offering free accounts so that anyone desiring to keep some Email private could use THOSE. I specifically state that it should not be difficult to use the COMPANY provided Email accounts for COMPANY related business and OTHER Email accounts for non-COMPANY related business.

        I also agree with the writter that suggests defining WHAT will trigger a review of Email accounts, WHOM will do it, and ETC….. I plan to write that into my policy based on that suggestion…..

        The basic idea is to clearly define what the COMPANY expects from users in relation to the Email system, make the users aware, support the COMPANY’S position with written approved policy, and enforce the policy…JUST LIKE ANY OTHER RULE/REGULATION/POLICY that the COMPANY has! If the user/s choose/s to VIOLATE COMPANY POLICY, the COMPANY can take action against the user based on OTHER written policy.

        I have chosen to capitalize certain words/pharases for emphasis, but one in particular is, in my opinion, very significant. It is “COMPANY”. You must approach this problem PURELY considering what is good and what is bad FOR THE COMPANY. Do NOT allow your personality to “get written” into the policy…you are the tech, “the subject matter expert”, so DO write your PROFESSIONAL PREFERENCES in and industry standard practices but nothing else. Protect the COMPANY without being a snoop…

    • #3312315

      Yes it is!

      by atsmar ·

      In reply to It is ethical to look at the users email?

      As long as your IT policies state that the company PC’s/laptops/PDA’s are not the “personal” property of the end-user the end-user should be aware that management has the right to monitor and if necessary, check for inappropriate content and or activities on that device.

      I had a situation as IT Manager at a former employer a couple of years ago where a new department supervisor was suspected of a possible defalcation. Due to our proactive IT policies, I went ahead and took control of this individuals e-mail, and tracked the internet activity as well. Subsequently, I was able to prove that this person was indeed conducting activities that aimed to embezzle money out of a customers account. The individual had started planning the mode of escape via the internet and never deleted the e-mail correspondence between himself and his accomplices!

      I notified my manager of my findings and was able to provide the FBI investigators with concrete proof of the nefarious activities that were taking place.

      The authorities arrested and convicted this person for the crimes committed.

      Hope this helps!

    • #3313499


      by aaron a baker ·

      In reply to It is ethical to look at the users email?

      Would it be Ethical to check letters meant for employees,regardless of content? Would it be Ethical to look for possible “Ad Content” in every Parcel delivered to your building “Before” it get to Employee or CEO Destination? If the e-Mail was for the CEO would the same Ethics apply?
      You See what I’m getting at. Mail is Mail,be it E-mail,Parcel Post,Letters or Whatever and it usually addressed to one individual.Only THAT individual should have the right to open the Mail and read the contents. Reading the E-Mail of others should be considered at the same level as reading a letter addressed to someone else. “IllegaL”. Not to mention amoral and invasive. No matter how well intended, it would be and should be considered and invasion of privacy and the reciprocations should be the same. If on the other hand the Employee or Employer comes TO YOU and asks for your help in dealing with unwanted ads, AH!, then it becaomes another matter entirely. Howver the choice must always be with the receipient. Pre-Checking E-Mails should deffinitely be illegal and charges should be pending if such a thing is proven. “What Google is doing RIGHT Now is “DEAD WRONG” and it too should be illegal and they should most defenitely be charged for invasion of Privacy.
      Thank You for your attention

      • #3313422

        Absolutely dead wrong

        by jamesrl ·

        In reply to “ABSOLUTELY NOT”

        Email sent to your office is conducted over a network cpnnection paid for by your employer. Its is stored on a server paid for by your employer. It is provided so you can do your job. It is not provided for your personal use.

        Furthermore, the employer has an obligation to ensure a non-hostile, non-threatening workplace. This includes making sure that offensive material does not enter.

        Yes as I have said in the other postings, there have to be rules. Its not carte blanche – everyone is not entitled to see everything. But for those who have in their job description duties around ensuring the smooth operation of the email system, there needs to be some ability to look at email when needed.

        What it comes down to is that there is no “right to privacy” from your employer, unless provided in your contract. I do believe that companies should make employees aware that they have no privacy. And this goes for everyone from the CEO to the janitor.


        • #3313368

          I back James on this one, I think you are off.

          by tomsal ·

          In reply to Absolutely dead wrong

          This is really a simple issue. I fail to see why some folks make this out to be complicated..its clear as daylight to me.

          If its work related communications — could be snail mail, email, an IM message, a phone call…that you receive on company time, via company resources (money spent for the Internet bill, postage, printed with company resources, etc. etc.) you forfeit your right to privacy with regards to that communication…UNLESS, as James pointed out…there is some kind of written contract you have pre-arranged with the executive management staff that outlines your rights to privacy on company time, using company equipment/resources, etc.

          I’ve posted this opinion a dozen times in other discussions, but I repeat it only because its factually correct — in this state for example its LEGAL to read/go through, listen in on any communication an employee has using company resources/equipment on company time…and the employer doesn’t even have to warn you about it.

          However the catch for the employer is if I use my personal cell phone, for say I need to make an emergency related call to a family member — the employer’s rights get blurred there, and then I technically could file suit if the employer tried to “tap” that phone conversation (because in that case the federal wire tap rules/laws would apply and over-ride the previous rights of the employer).

          Keep in mind though, don’t get cocky with this info and start making tons of personal calls on your own cell phone…employers aren’t that dumb…and while they can’t listen in they still have the right to fire you without justification.

          (which btw, I think is a crock..I think an employer should be required to state an exact justification when terminating someone, but that’s another topic)

          As far as ethically, why should you feel unethical — as long as its part of YOUR JOB POSITION (that’s the key), after all someone has to have the job of keeping the interests of the company’s communication integrity intact.

          If its not your job position, then its not ethical for you to look at the email.

      • #3313362
        Avatar photo

        Absolutely incorrect

        by hal 9000 ·

        In reply to “ABSOLUTELY NOT”

        As e-mail is now considered Legal tender it is improper for an employee to use company facilities for anything other than their allocated job.

        While some people seem to think that they have a right to privacy they do not when the hardware used is not theirs and the expenses are not paid for by them but by another.

        A company any company has a “Duty of Care” which they must maintain and if they did not control what arrived through e-mail they could end up in court with extremely large expenses for one persons actions.

        Mr X sends Miss Y porn which she finds offensive and adversely affects her ability to work.

        Ms J works for a bank and is using the banks computer network to defraud the entire customer base of that bank.

        Mr B works for a Government Department and has a dislike for Mr Z so he gathers Mr Z’s personal details and makes them public domain by posting them on the Internet.

        Mrs A works selling expensive equipment and finds that she can make far more money by passing potential sales onto a competitor who pays her a spotters fee.

        Mr G works as a Rocket Scientist and finds that he can make a killing by selling the plans of an ICBM to Al-QAEDA so he e-mails them the constructional details and complete plans for the newest missile.

        Those are just a few examples of how a companies hardware can be misused and leaves the company open to Law Suits. The owners of the hardware not only have the right to monitor all correspondence but a duty to do this to protect their employees and their business and depending on what the business actually is a countries security as well.


      • #3311842

        Did the glue factory stocks flourish when you left?

        by oz_media ·

        In reply to “ABSOLUTELY NOT”

        You seem to have the impression that mail coming into your employers organization can be of a personal nature. Your employer OWNS every single piece of mail or correspondence of ANY sort entering and leaving his/her organization. It is NOT yours, NEVER is and NEVER SHOULD BE.

        When YOU provide YOUR equipment, pay YOUR property taxes and monthly lease and operate YOUR organization it will become YOUR property.

        While you are operating someone ELSE’S business on THIER time, in THIER premises, on THIER equipment, with THIER legal name behind it, YOU are being rented, you HAVE no personal property other than those effects which you have brought with you.

    • #3313423


      by dwdino ·

      In reply to It is ethical to look at the users email?

      Well, to look at users email … nope. But (big but), IT IS NOT THE USERS EMAIL!


      All communications originating from or destined for your company is a company asset or liability. The employee has been entrusted to perform a task on behalf of and in the interest of said company.

      Therefore any and all communications made by said employee is eminent domain of the employer there of. Employee has no rights, neither expressed nor emplied, upon any communications made during company time and upon company equipment.

      With this foundation, any and all communications of afore mentioned employee may be subject to monitor, scrutiny, and recourse for any content or method outside excepted company standards.

      Employer: _________________________________

      Employee: _________________________________

      Date: _____________________________________


      • #3312874

        In other words

        by mlandis ·

        In reply to Hmm….

        If asked, “Is it ethical to use the employers’ time, networks and communication facilities for personal use, including but not limited to sending unauthorized communications (via IM,P2P, email, snail mail, interoffice mail/memoranda) with or without proprietary attachments to competitors, who may harm the financial and physical well being of the employer and/or sending unauthorized communications that violate any in-house policies set forth in the HR Manual etc.?”

        No is the only answer.

    • #3311855

      Whose business is it to look?

      by tpolitowski ·

      In reply to It is ethical to look at the users email?

      Protecting the business is the responsibility of the security and risk group (or the executive team). Emails sent by employees that jeapordize the organization – sexual and racial harassment (jokes, pictures, etc.), theft of intellectual property, leaks of plans and results, and release of confidential information could also compromise compliance with Sarbanes-Oxley section 404, Graham-Leach-Bliley Act, HIPAA, etc.

      The right solution is to give security/legal/HR a tool to search archived emails and have automated reports go to each department manager to allow them to identify and drill into suspicious activity. The email administrator should only respond to requests for information.

      Take a look at MailMeter –

    • #3293102

      Available from Tech Republic

      by lmaurer5 ·

      In reply to It is ethical to look at the users email?

      We wrote our policy based on a template from Tech Republic. Search for “Acceptable Use Policy”.

    • #3292732

      i do not think so

      by degwell ·

      In reply to It is ethical to look at the users email?

      As an email admin i share your pain i tell you porn is so addictive i have administered an email server in a church an there were some black sheep.. however the fact about viewing users email…its abit of a thorny issue iwould suggest you institute a policy on content viewed or browsed and put sanctions on offenders. to really be honest its a very thorny issue
      good day

Viewing 9 reply threads