Tags:





What to do with sticky IT ethics?
August 1, 2005 2:27 PM   RSS feed for this thread Subscribe

IT concerns, what do you do to employees who do not seem to understand that if they delete e-mails, they are still retained? Recently while trying to figure out if my spam filters were keeping e-mails out, I found some amorous e-mails.

As the IT department, I have the ability and authorization to look at logged mail (which I use to check to make sure I keep the majority of SPAM out), the only other people to use the system are a handful of executives. They use it, rightfully so, to make sure employees aren't violating legal contracts. They only use it when they suspect foul play (rarely, as I always have to show them how to use it).

Anyway my dilemna is this, while I know when they do use it they check pretty thoroughly and all e-mail to this point was inane personal e-mails and business related items. I noticed after doing a filter for some porn terms that a lot of mail came from approved domains. I thought spoofing was involved until much to my Internet-raised "nothing can phase me" youth, I found a lot, a lot (50 a day) of e-mails going between one person inside and one outside the company.

I ignored it at first, and thought for the employees sake, I'd filter out the words even from approved domains as a subtle hint, which lead to simple masking with asteriks -- and complaints that long e-mails that contained "cum" in the Latin sense were not getting through.

No policy exists where I have to report this, or anything related to such things as this hasn't been a problem. I have done nothing beyond the filtering and a system wide, "Your e-mails are being monitored" would cause an immediate "Why did you send that e-mail, what did you find?" amongst management.

Content on doing nothing (and sadly know the employee is a "fired person walking"). To complicate this, I was having a discussion with close friends (keeping everyone anonymous, don't worry said person's privacy wasn't violated, everything was abstract as well) who happen to hold business degrees and told me that in such a situation I would be ethically required to report this (even sans any policy stating otherwise) and were shocked I hadn't gone to said person's manager about this.

So now I go to the masses, is keeping my "hear no evil, see no evil" stance ethically sound? Being that is impossible not to stand still on a moving train, or should I report my findings?

Sorry for the length, I thought I'd head off all my options since I have an inability to respond. Perhaps a big reason this has bothered me so much is my inability to even really talk to this person knowing the things they've done, and let me tell you I thought it'd take puppy porn for my Dan Savage-bred eyes to be amazed.
posted by anonymous to computers & internet (28 comments total) 1 user marked this as a favorite
I think you should mind your own business until someone in charge requires that you tattle on employees personal internet use in the workplace.
posted by trbrts at 2:40 PM on August 1, 2005


I agree. MYOB.
posted by john-paul at 2:45 PM on August 1, 2005


So you are faced with a choice between not fucking a real person over or screwing them over to the benefit of no one except possibly a corporation.
posted by TheOnlyCoolTim at 2:54 PM on August 1, 2005


As a sysadmin, you are ethically required to treat people's private email as exactly that, unless and until you are required by your management to become a snoop.

If that were to happen, I'd quit.

MYOB.
posted by 5MeoCMP at 2:56 PM on August 1, 2005


Unless your company has a strict "email is for business use only" and you are required to report infractions, then you have no obligation to report anything to your management.

IT is a "neutral party" in this, it's your job to make the email flow, not to decide what is allowed in them. If it's inevitable that these email messages will be discovered, then let management deal with that when it happens.

In similar situations like this, I've gotten by with giving an informal warning (in person, not in writing) about "excessive email use." People generally get the hint.
posted by madajb at 3:02 PM on August 1, 2005


I agree with the MYOB crowd 100%. You said it yourself, your company does not have an email reporting policy. Just MYOB and next time you think you need to snoop into someone's email, you should probably ask yourself (more than once) if it is REALLY necessary.
posted by necessitas at 3:18 PM on August 1, 2005


I think this person needs to be warned (or reminded) that they're putting their job at risk.

If you don't know them well enough to do it personally I wonder if a company wide email saying something like "Our network receives a lot of spam. It is often flagged simply because it has sexual/inappropriate words within the email. When emails are flagged the IT dept has to review each of these messages. Please be careful about giving your email address to unscrupelous websites as it is a time consuming process"
posted by selton at 3:24 PM on August 1, 2005


Wow. I seem to see some serious harshing on anon here, so I'll throw this into the mix -- what if your company does have a strict business-use-only policy? What should the sysadmin be doing in that instance?
posted by coriolisdave at 3:25 PM on August 1, 2005


coriolisdave:
"What should the sysadmin be doing in that instance?"


Quitting.
posted by madajb at 3:32 PM on August 1, 2005


Suggest to the person that they should get a non-company email for personal matters.
posted by devilsbrigade at 3:50 PM on August 1, 2005


MYOB until it becomes an issue of CYA, which maybe it already is. If this person is found out throguh some means, and it comes through that you did not report them, and you faced firing as a result, I'd turn the information over.
posted by xmutex at 4:04 PM on August 1, 2005


Aren't there more options other than a) staying quiet or b) going to the boss?

If you don't know the lad/lady in question and you don't want to confront him/her, you could either a) stop their e-mail from being logged or b) just blacklist the outside party's address (it's pretty hard to have e-mail sex by yourself).

Or, if you know the person in question, why not just open him/her a gmail account and leave a note to use that for personal e-mails. Or do as others have suggested, and hint to them indirectly that it's in his/her best interest to lay off the dirty chatting through the company e-mail.

I wouldn't go to the boss though, such an action seems needlessly cruel and likely to end in excessive punishment.
posted by aiko at 4:05 PM on August 1, 2005


Gmail is a good option, but other accounts may not be a solution to the problem -- I know that we scan all POP3 traffic in an effort to reduce virus/trojan infections, and those messages get dumped into the same traps as the business mail.
Also, this doesn't solve the use-of-company-resources aspect of the problem (both the employee's time, and the company's Internet connection/computers/etc).

madajb: Why quitting? (I'm serious). Why does the company not have the right to say what gets done with resources they provide (within reason, of course)?

I am not anon. Just starting to feel like them ;)
posted by coriolisdave at 4:24 PM on August 1, 2005


I'm with selton here. Send out a company-wide e-mail 1) reiterating the facts that the IT department must constantly tweak the spam filters and can view e-mail messages, and 2) emphatically encouraging employees to use their work e-mail only for work-related stuff, and that use of company resources for other purposes carries certain risks.

If the employee in question doesn't take the hint, and is going to be fired for other reasons soon anyway (re: "fired person walking"), then you are under no obligation to do anything further. If s/he is sending/receiving 50 of these explicit e-mails a day, how much work is s/he really getting done?

On the other hand, morally speaking, I still think the employee (not the boss) deserves at least a heads up. The sooner s/he is aware of the anomaly, the sooner it will stop.
posted by Lush at 4:29 PM on August 1, 2005


You should act according to your company policy and your job description, whatever they are.

Assuming you have a well-defined policy, you should have no qualms about reporting possible violations, as long as you do so consistently and fairly. (That is, no playing favorites... you shouldn't pay special attention to "fired person walking" unless instructed otherwise.)

Don't have a written policy? Change this. Work with your management to craft an acceptable use policy that can be distributed to employees. This lets everybody know what kind of behavior is expected, so there are no surprises. It doesn't have to ban personal use completely, but it should create boundries that the company considers important.

Finally, the distribution of a new policy also creates a good opportunity to remind everyone that their email is not private.
posted by blue mustard at 4:58 PM on August 1, 2005


coriolisdave:
Certainly the company has every legal right to limit use of their resources.

When seeing the contents of an email is unavoidable (as I think it was for anonymous) then the IT dept should consider itself a neutral party. They should only be concerned about the technical content (why did this email trip the spam filter and how can I avoid it happening in the future?) and not the actual content (huh, can you really do that with a goat? I wonder if the PHB knows that Bob is into that?).

A company that requires it's employees to rat on other employees is an evil place to work, in my opinion.

I think the decision of anonymous to "see no evil" is the right one.
posted by madajb at 5:01 PM on August 1, 2005


I've worked in plenty of IT departments. Everyone always assumed I read their mail, even when I denied it. Sometimes I could read it as part of the job, sometimes I couldn't, but very, very rarely did I ever need to or want to. (As I always said when the subject came, usually in the form of jokey accusations from staff, "Why would I want to read your email? It's all so boring" which either led them to saying in a playground nyah-nyah voice, "How do you know unless you read it?" which would admit that their email is indeed boring or to claiming their email wasn't boring, which means that I must not read it or else I would know that. Interestingly, most people who have both responses, in that order, one after the other.

But even those who swore up and down I was reading their mail would still send and receive highly in appropriate messages. They either trusted me or didn't care. Lots of porn, lovers notes, horrific reciprocated come-ons from dating site acquaintances, notifications about subscriptions to porn sites, etc.

One thing I don't think I've ever encountered: I've never spoken to a coworker or staff member about email and had them assume that their mail was strictly confidential. They seem to have always assumed it was insecure.

I would say that unless you really can finesse a generic, unspecific office-wide email even more finely tuned than the suggestions offered above, the mind-your-own-business crowd has it right. Odds are pretty good that talking about it is going to raise eyebrows, hackles, or a stink, and none of those are good situations for an IT person whose job requires as much trust from staff as possible.
posted by Mo Nickels at 5:45 PM on August 1, 2005


My hubby recently sent me an e-mail from his new job with what I consider a mild expletive (to wit, "bullshit"). Though the e-mail came through to me on my end, he received an auto-responder from the "E-mail police" at his company warning him that his e-mail contained inappropriate language and reiterating company policy. This may work for you: the auto-responder is "machine generated" and so anonymous enough to spare the receiver embarrassment, while still providing a good reminder that big brother is watching.
posted by airgirl at 5:59 PM on August 1, 2005


There is a middle ground between MYOB and being a corporate whore. I'd : (a) block the outsider's email address (and IP, just to be on the safe side) as spam (which, in a sense, it is) and (b) send a corporate-wide email warning about spam filters and the like.

Thus you (a) CYA (b) warn -- without harming -- the "offending party" and (c) (kind of) protect the corporate interest. Everbody's happy, right? Right!

Of course, you haven't posted the above question from a corporate workstation, right? Right!
posted by candle in the dark at 7:39 PM on August 1, 2005


Pretend you never saw it.

Work very diligently to avoid seeing any email content in the future. After all, it's extraordinarily rare that the contents of an email do anything to affect an admin's tasks.
posted by mosch at 7:47 PM on August 1, 2005


The only reason you should ever look at the contents of a message without permission from the sender or recipient, is if management specifically requests it.
posted by mosch at 7:48 PM on August 1, 2005


I think airgirl's response is excellent, or the suggestions to give an ambiguous "excessive email usage" type warning in person. It would be prudent to give them a wake-up call (for both of your sakes), but please, please don't get them fired over this of all things.

I wouldn't go so far as suggesting you put your own job on the line, but from the phrasing of your question I assume you'll have plausible deniability should management discover the messages on their own. Just steer clear.
posted by rafter at 9:27 PM on August 1, 2005


The only reason you should ever look at the contents of a message without permission from the sender or recipient, is if management specifically requests it.

This might be a good general rule, but it sounds to me like all is square with anonymous. I run a community site, and have been known to (gasp!) look at passwords to help identify spammers and trolls — though they kill cookies and hide behind proxies, they tend to use the same passwords over and over. "Should" I ever look at a member's password? Probably not. But I think I have the moral fortitude to break this rule when the situation calls for it. The same may go for anonymous.

(As a side note, this is exactly why it would be good for anonymous to remind his coworker that Big Brother is watching — because sometimes his job calls for looking at emails.)
posted by rafter at 9:34 PM on August 1, 2005


I'll have to second blue mustard's suggestion. I'm seeing a lot of "mind your own business" advice on this thread that sounds a bit to me like righteous indignation. Unfortunately, in a corporate environment, it *is* the corporation's (and by extension, the IT department's / everyone else who works there) business what kind of traffic goes out, email, telephone, whatever. There are the more obvious financial concerns (what if a client inadvertently sees the emails, or a potential client, or ... ) and the less obvious ones - sexually explicit language in the workplace could expose the employer to harassment claims (IANAL, btw). Additionally, when a person is at work, "on the clock," the company has a reasonable expectation that the employee will be working for the money they're being paid. I would equate "I found a lot, a lot (50 a day) of e-mails" with, say, taking a 2-hour lunch, or a 10 minute smoke break every hour. Depending, of course, on how fast the correspondent can type. :P

FWIW, I found a pretty detailed discussion of Privacy in the Workplace issues here.

I'm not suggesting that anonymous behave like some kind of uber-schoolmarm type, but I think s/he made it pretty clear that the discovery was made in the course and context of normal, legitimate IT activities, and suggesting that s/he turn a blind eye is bad advice for anonymous, the company, and the correspondent.

Off-topic - the spell check thinks "uber-schoolmarm" should be "bronchiolar." Chuckled me, that did.
posted by ZakDaddy at 6:15 AM on August 2, 2005


My boss (the owner of the company for which I work) regularly gets email from domains like playboy.com and the like with the words "Dear Valued Customer". In addition, I've had to clean eBay notifications out of the spamtrap that he's been outbid on "Girl on Girl Action IV".

In each of these instances, I've white listed the domain, deleted the email, and gone about my day. Sure, he missed out on that first email, but there's no way I'm forwarding it to him. Just thinking about it makes me all oogy.

At no time will I feel it's appropriate to bring it up to him. Sure, everyone in the office knows that I keep the email flowing by observing the email. They just don't want to acknowledge it.
posted by thanotopsis at 6:34 AM on August 2, 2005


I think what all the "MYOB" crowd here are (willfully?) ignoring is that the mail is retained and the execs look through it when they do their rare examination. What's the bite in anon's ass when they find this collaborative Penthouse Letters session?

In a perfect world the smutty keyboardist would be free to do what s/he likes so long as s/he handles the workload. However that's apparently not the company position and the core of the question here, I think, is "what are the bosses going to do when they discover this and ask 'did you know about this?'"

I'd let things be if I had a choice, personally, but I also wouldn't get myself in hot water because of their off-color way of screwing off at work.
posted by phearlez at 9:35 AM on August 2, 2005


I don't understand why this is a "fired person walking" in the first place? In my job experience I have yet to actually know anyone fired for legal, personal e-mails that had nothing to do with work or co-workers. I have encountered it added to other fireable infractions as further justification but never the main offense.

Further, in my days of pouring through stacks of corporate documents for legal proceedings I have had the pleasure of reading miles of personal emails from high level corporate executives, and let me tell you, there are some Fortune 500 CEO's out there with some serious kinks. I can think of at least two that used the corporate networks as their massive porn repositories. So, the idea that this person is just bound to be fired is just not realistic in my book.
posted by Pollomacho at 10:29 AM on August 2, 2005


I run a community site, and have been known to (gasp!) look at passwords

This is really bad. Passwords should never be stored cleartext, for just the reason you mentioned (many people re-use passwords).

I sincerely hope that you're looking at password hashes.
posted by mosch at 12:27 PM on August 2, 2005


« Older Methinks my fairly young firew...   |   Neurosisfilter: I'm not very ... Newer »
This thread is closed to new comments.