I always feel like, somebody's watching meeeeee
April 23, 2007 3:20 PM   Subscribe

When a corporation says they're monitoring email and internet access, what does that mean?

Specifically, what about Instant Messaging? Or other Mail programs?

I just started a new job at Big Company. I've been working at Tiny Upstart Company for years. We were able to install software, use whatever mail program we wanted, and Instant Message. I don't use it a lot (honest!) but it's good for when I have a question for my IT friend, or if my wife wants to jump on and ask me when I'm going to be home, etc.

So, the Big Company says they monitor email and internet useage... can they detect if I'm using an IM client? Or if I use Mail to check my home mail, etc. (BC uses Lotus Notes.)

(I'm on a Mac, btw)
posted by papercake to Computers & Internet (45 answers total) 2 users marked this as a favorite
They certainly can, if they want to, detect every plain-text message you send over any protocol across their network. They can make some pretty good-guess inferences about what sort of software you're using, based on local process monitoring and watching what ports you're sending on.

You can use tunnelling to get around the port issue, and encryption to keep your content obscured from network-based monitoring, but if the company owns the workstation you can presume that nothing is secret. And even barring that, you stand the risk that the company will notice odd or uncharacteristic data behavior as a result of said hijinx.

I have friends who work for large corps, defense contractors and such, whose options for network usage are heavily and effectively restricted as a matter of policy. My own workplace is less actively restrictive and responsive, but they do actively block, for example, common IM apps and ports.
posted by cortex at 3:32 PM on April 23, 2007

They're being nice enough to remind you that you have no "reasonable expectation of privacy" while using their Internet facilities. Yes, if they have appropriate firewall and network monitoring software installed, and a competent IT staff, or outsourced security organization, they can tell if you're using a traditional IM client, and if you're checking non-business e-mail accounts.

Know and follow their policy regarding personal use of Internet resources. Expect that your communications can be monitored.
posted by paulsc at 3:34 PM on April 23, 2007

Assume they can read anything that you aren't encrypting. This definitely includes instant messages (there are plenty of proxies they can install that can snoop that). They can also read your mail if you are not running on IMAP-SSL or POP-SSL. If you install Adium for IM, I believe it might have some ability to encrypt conversations with other Adium users.

I've consulted to Big Companies like this before, and most of them can get super anal when it comes to violation of their acceptable use policies, regardless of whether or not it is affecting your performance. At one place, one of the managers would gather up the employees once a month and they had a top ten list of non work-related websites that had been accessed and would give everybody a stern talking to. It was ridiculous. When my consulting gig with them was up, they asked my why they were unable to retain any of their best developers. I asked them why anyone that didn't have to work some place with such draconian policies would, and they didn't have a response.

Generally, assume they are watching everything you to. If you have cell signal you could use text messaging or get a smartphone and do anything you want to do on that.
posted by AaRdVarK at 3:39 PM on April 23, 2007

If you want to IM or read personal email at work, get a Blackberry, Blackjack, or E62 sort of cell phone/email device.

Or just use a regular cell phone that can do those things, too, and learn to love T9.
posted by wierdo at 4:05 PM on April 23, 2007

What the above answerers said. They can detect anything they choose to look for. With most kinds of encrypted traffic, they can still see clearly how much data you're exchanging with what site.

You could set up a VPN to your home machine, and thus hide what sites you're connecting to or protocols you're using, but they'd still be able to see you were transferring a lot of encrypted traffic to your home machine. (There are several different variations on this theme.)
posted by Zed_Lopez at 4:10 PM on April 23, 2007

When a corporation says they're monitoring email and internet access, what does that mean?

It means when they want to fire you, it is easier on them. Seriously, unless you're an employee in upper-management they monitor to make sure you're not in an outright lie on how client relations are going. Every instance of employee monitoring I saw (caveat I worked where there were no real office drones, everyone was professional level), was used as ammunition to fire someone. It really helps liability down the line in wrongful termination cases.

I've also seen execs monitor very higher up execs, not for firing purposes but to make sure they are handling very important clients the way they should be. This again, leads to firing.

Yes, they can potentially monitor anything. Telling your wife you'll be home at "x" time is harmless. In fact it is counter-productive for employers to be Big Brother about that. They really don't care about that. Telling your wife you'll be home at "x" time and then describing to her the various sexual acts in vivid detail is not so great, for what I hope are obvious reasons.

Having worked in an IT, I can say almost unanimously that as long as you aren't using dirty words (that can be caught by filters) are aren't doing outright bad -- no one cares, until it comes time to fire you or if they feel you are mishandling a client. Just be smart about it.
posted by geoff. at 4:11 PM on April 23, 2007 [1 favorite]

Depends on where you work, but I usually feel that internet & email monitoring policies are a bit of a fallback option for the company - ie they warn you that they can & will monitor your activity so you lose your expectation of privacy, from a legal perspective. Then, if your activity becomes unreasonable, they may discipline you. Realistically, though, everybody uses work machines for private purposes to some extent, just as they always used work phones for private matters. The extent to which this is tolerated depends on the company.

Remember that just because they can monitor everything doesn't necessarily mean that they will. Sysadmins are typically very honest people with high moral standards & probably wouldn't snoop on you just for the fun of it, and nor would they have the time. However, you activity will certainly end up on a log file somewhere for people to check if they feel the need.
posted by UbuRoivas at 4:11 PM on April 23, 2007

unanimously = unequivocally
posted by geoff. at 4:12 PM on April 23, 2007

Local brokerage houses seem to be pretty tight about e-mail policies, just as another example. All it takes is one insider trading investigation, and not only are your supposedly "personal" e-mails being gone over by the company, they could be entered as evidence in court.
posted by gimonca at 4:17 PM on April 23, 2007

Or just use a regular cell phone that can do those things, too, and learn to love T9.
posted by wierdo at 4:05 PM on April 23 [+]

If you do go the cell phone route, I highly recommend and use BluePhone Elite to text message people with an IM-like interface.
posted by vacapinta at 4:25 PM on April 23, 2007

IASE. I work developing said monitoring systems. Most companies are worried about things that can get the company in trouble, less so about what would get *you* in trouble unless it also involves the former.

What constitutes inappropirate content really is company-specific but every company is worried about losing intellectual property and violating regulations.
posted by trinity8-director at 4:26 PM on April 23, 2007

Depending on the IT setup, there are also programs where they can see exactly what you're doing in real-time without your knowledge. We use such programs regularly at school and it works pretty effectively.
posted by jmd82 at 4:33 PM on April 23, 2007

I work for a large company that also issues a "you may be monitored" warning. However since I work in IT I am aware that the small handful of people who have the tools and skills necessary to do any such monitoring tend to be kept extremely busy with the more fundamental task of keeping our network running. Other organisations may differ greatly - but total or even traffic monitoring is a rather expensive pass time for all but the most paranoid businesses.
posted by rongorongo at 4:52 PM on April 23, 2007

They could monitor your personal machine, e.g. with something as simple as VNC, which I've seen in a non-corporate environment.

If it's just traffic monitoring, then if you access gmail via ssl, the web-based chat component is also ssl.
posted by idb at 4:56 PM on April 23, 2007

By the way, it is perfectly legal for them to do this, and it is not actionable. It's a condition of your employment, and legally speaking if you find it intolerable your only remedy is to quit and find another job.
posted by Steven C. Den Beste at 5:04 PM on April 23, 2007

IANASE, but I have a good friend in corporate IT and family doing some scary software stuff.

First, in terms of AIM, it's unencrypted, plaint-text traffic on a documented protocol. Check out aimsniff (GPL) as a 'proof-of-concept' for snooping on AIM conversations.

And then two comments on e-mail. My friend in IT works in a place that 'reserves the right' to view peoples' mailboxes. He mentioned in passing one day that he receives copies of bounced mail, and he's come across some really steamy stuff. So just because you're not doing anything to set off filters doesn't mean that your e-mail won't be read.

My dad used to (within the past year) work for a computer company doing performance engineering on a system that would basically archive every message passing through the corporate mailserver, apparently in relation to Sarbanes-Oxley. I don't know who (if anyone) the end-users were, but it exists.
posted by fogster at 5:17 PM on April 23, 2007

Adium can encrypt messages. You can go the obscurity route and communicate to the outside world using Jabber (which can speak to most kinds of IM networks). They probably aren't equipped to look without a little work.

OTOH, traffic that they aren't expecting may get attention. but then again, some Jabber traffic looks like HTTP.

So, my advice: Use Adium and set it to speak ONLY to encrypted clients.

If that's onerous, get Adium (heh!) and set up a Jabber account on a SSL-encrypted server. From that server, add accounts for the various transport you use (like AOL, MSN, or Yahoo! IM).

Note, Jabber-to-transport links work well for everyday work, but it's rare to find one where file transfers work.

posted by cmiller at 5:26 PM on April 23, 2007

I work for a broker/dealer and one of my responsibilities is to read 4% of all electronic communications to ensure compliance with SEC/NASD rules and regulations. I often see personal email or IMs. It is not a big deal. I truly do not care that your girlfriend is fighting with your wife over who is the bigger sleaze bag. It is not why I am looking at the communication. If I see something particularly grievous that should be brought to the attention of HR, I will alert them. Usually, the first step is to tell the employee to tone it down.

I highly recommend that you keep all personal emails off your business email address. Use a hotmail, gmail, yahoo, etc address. Also, IMs of a personal nature are fine as long as you avoid saying anything negative about the company or something that would arise to a HR violation. Write as if someone is reading your email because they are. I suggest the use of a blackberry type device for your personal communications.
posted by JohnnyGunn at 5:28 PM on April 23, 2007

go into photoshop, type your email with the text tool, then export to a gif. Email that.

(actually dont do that, thats silly, but I think its a funny idea anyway)
posted by drjimmy11 at 5:36 PM on April 23, 2007 [2 favorites]

I monitor all the computers at my agency (Mac based), using Remote Access. I see every screen, all the time on my desktop.

I send out the same warning you received. Folks still don't believe it.

It is just amazing what I see... I could fire everyone that works for me if I wanted!

Don't do anything not related to work on that computer.
posted by HuronBob at 5:38 PM on April 23, 2007

I monitor all the computers at my agency (Mac based), using Remote Access. I see every screen, all the time on my desktop.

That's just insane. I have no expectation of privacy on company email, but that's just too much. I would never work somewhere like that in a million years.
posted by drjimmy11 at 5:47 PM on April 23, 2007

I would never work somewhere like that in a million years.

It's the nature of the game that you wouldn't necessarily know you worked somewhere like that until they fired you with documentation.
posted by cortex at 5:48 PM on April 23, 2007

My dad used to (within the past year) work for a computer company doing performance engineering on a system that would basically archive every message passing through the corporate mailserver, apparently in relation to Sarbanes-Oxley. I don't know who (if anyone) the end-users were, but it exists.

I've had to start doing the same thing based upon some recent lawsuits and advice from other academia IT people. However, I'd also get fired or in extreme trouble for rummaging through people's e-mails. On out end, it is purely a, "If someone in the school gets sued and they need our e-mail records," fall-back mechanism.
I always try to tell teachers and staff to refrain from using school e-mail for any personal use since the records can get subpoenaed (not that your gmail account can't, either, but I don't think gmail keeps all traffic for eternity).
posted by jmd82 at 5:59 PM on April 23, 2007

I think the advice given above to use encryption for communications is a poor idea. First of all, there's no better way to draw attention to yourself. The natural conclusion is that you're sending things you don't want them to read, and one reason might be that you're engaged in industrial espionage.

It doesn't help, anyway, because if they really want to they can look directly at your desktop, just as HuronBob discusses.

The right solution is to not use their computers and their internet link for things they wouldn't approve of.
posted by Steven C. Den Beste at 6:13 PM on April 23, 2007

A good policy to have is to never use your office email account for personal matters. Like other people have said: get a gmail/yahoo/whatever free webmail account and access it via SSL (https). Not only will they not monitor that (and likely will not care, as long as you aren't stealing corporate information or trafficking in child porn or some such), you will be able to take it with you when you leave.
posted by kdar at 6:14 PM on April 23, 2007

Things like Sarbanes-Oxley mean that you should expect email and IM to be logged and archived. Trends in security mean that you should expect your company to have at least evaluated using an IDS system that would at least collect statistical information about traffic passing in and out of the network. That information could be used to profile the types of things you're doing on your computer.

As an IT professional every place has basically had the same warning, but I don't have the time or the inclination to sit around all day playing network cop. If something is broken or not functioning as expected, I go fix it. If I need to look at your data to do my work, I do.

Depending on your goals, you have a few options. For IM or email your safest bet is something like a smartphone. I personally usually use ssh and screen to do my personal stuff through a single text window to the outside world.

It also never hurts to suck up to the IT folks. It doesn't take a lot of effort and they're much more likely to warn you of something instead of just passing it on to HR. Talk to them about _anything_ other than computers.
posted by joelr at 6:45 PM on April 23, 2007

You can assume that every activity you perform online is logged in excruciating detail. However in most organizations you are not being actively monitored. To do so would be a waste of resources, especially given how slim IT budgets are these days.

If you are a good employee, i.e. you generally don't piss people off, you do good work, and you don't do really stupid like surf porn, then no-one cares if you email your friends or surf Metafilter a little. But if you get into trouble and your boss is looking to build a case against you, then he/she will dig through the records and find something to use against you.
posted by randomstriker at 6:45 PM on April 23, 2007

randomstriker writes "You can assume that every activity you perform online is logged in excruciating detail. However in most organizations you are not being actively monitored. To do so would be a waste of resources, especially given how slim IT budgets are these days. "

This is what I assume about nearly every public company. I work for a financial company, and we were told that every single keystroke is being monitored, essentially. If something like Enron happened again, our every email could be made public, even ones that were 100% personal and had nothing to do with any potential scandal. I think about that every time I type an email!

And I can't believe that so many people think that employees can easily access webmail or get around webmail blocks. NO ONE I know who works at a public company can access webmail of any kind. (*ahem* - SOME people can have their mail forwarded from gmail to their work mail, but logging on to gmail does not work under any circumstances).
posted by peep at 7:28 PM on April 23, 2007

Don't check outside e-mail or use unauthorized instant messengers.

Low-level grunts can generally get away with that crap, but as you move up the corporate food chain, that becomes a bigger and bigger legal no-no. (no gwb43.com addresses!)

So you might as well act like you're already an exec, and only use authorized chat clients, e-mail, etc. Much of this is just so they have logs of everything, to comply with various laws and can prove that you weren't engaged in anything unseemly.
posted by Tacos Are Pretty Great at 7:29 PM on April 23, 2007

(*ahem* - SOME people can have their mail forwarded from gmail to their work mail, but logging on to gmail does not work under any circumstances).

This is a pretty terrible idea, unless you want all of your personal computers, e-mail accounts, etc to be subject to subpoena, in case of an investigation.
posted by Tacos Are Pretty Great at 7:30 PM on April 23, 2007

Whelp, you all (and Big Company) have put the fear of Dog in me and I will refrain from using any chat client (there isn't an "authorized" one as near as I can tell), and will only check personal email via the web, and very rarely.

And my MeFi and Boardgamegeek browsing days at work appear to be over, as well. Alas!

Thanks for all the responses, everyone.
posted by papercake at 7:59 PM on April 23, 2007

IAASE, and if I noticed you browsing BGG, I sure as hell wouldn't report you. I might try to blackmail you into playing Die Macher with me, though.

Check and see if your company has some kind of "reasonable personal use" policy - my company allows 15 minutes of personal use per day, plus lunchtime. Yours may also have a policy that allows for MeFi, BGG, and the occasional webcomic. Also, keep in mind that such a policy makes it harder for your company to enforce any sort of anti-slacking-off rules - before they can discipline you, they have to prove that you spent more time than is reasonable screwing around on the Internet, instead of proving that you spent any time at all doing so.
posted by yomimono at 8:44 PM on April 23, 2007

Is anyone aware of a PC-based program that'll run like Bluephone Elite - ie send text messages from your PC to the net via your phone? :)
posted by electriccynic at 2:15 AM on April 24, 2007

It's not necessarily true that SSL or https will prevent them from seeing everything that passes through their network. I can think of two straightforward ways to get around encrypted connections:

One, already mentioned, is just to view the contents of the worker's screen.

Two, it is entirely possible to set up a transparent proxy for https that logs all transmissions in plaintext. In order to do this however, the company has to run its own CA and install that CA's cert into your browser. Then your browser trusts any certs signed by that CA, and so the proxy can then fake the remote end of the SSL connection by replacing the remote's cert with its own cert. Again, this only works if the proxy's CA has been installed as a trusted signer in the browser, but then again the company owns the network and the computers and it is very easy to install certs across an entire network using e.g. Active Directory or even just manually doing it as part of the install.
posted by Rhomboid at 4:46 AM on April 24, 2007

The easiest way I know to avoid this kind of Big Brother crap is to boot your workstation off an Ubuntu live CD; then, open a terminal and use

ssh -p your-home-ssh-port-number -D localhost:1080 your.home.ssh.server

to establish a SOCKS tunnel to your box at home.

If you're extra careful you'll BYO .ssh/known_hosts file with you on a thumb drive and copy it into ~/.ssh before you start your ssh session, to avoid corporate IT pulling a man-in-the-middle attack. If you're extra extra careful you'll use "swapoff -a" in case somebody has installed a Linux swap partition on one of your workstation's hard drives; you want to be running totally in RAM so that when you see Lumbergh coming you can just hit the power switch and leave no trace of what you were doing.

Then open Firefox, configure it to use a SOCKS proxy on localhost port 1080, use about:config to change network.proxy.socks_remote_dns to true, and surf and IM (using gmail or meebo.com or whatever) to your heart's content.

Provided they've got no security cameras on you, and provided they haven't fitted your machine with a hardware keylogger, and provided your workstation has an LCD panel and not a CRT, you should be pretty much opaque.

But if they're on the ball, they will know that you've spent most of the day with an encrypted connection nailed up between your workstation and your home box. You could probably work around that with Tor and a bit of script, but now we're just getting ridiculous; and they'd still notice that all your traffic was encrypted.

Personally, I just leave one tab open on https://mail.google.com all day, and anybody who has a problem with that can find themselves another programmer.
posted by flabdablet at 5:28 AM on April 24, 2007

Sysadmins are typically very honest people with high moral standards & probably wouldn't snoop on you just for the fun of it...
That doesn't dovetail with the habits of the sysadmins I've ever known/worked with. Most of them seemed to actually get-off on their ability to spy on everyone. Some to the extent of archiving for their own personal jollies the more "interesting" stuff they encountered while monitoring other employees communications. Indeed, a couple of them tended to actually be the biggest violators of the company's web-usage policies (including surfing porn.)
posted by Thorzdad at 6:26 AM on April 24, 2007

I think whether it matters also depends on the kind of place you work. Financial companies are going to be psycho. Pretty much any media company I (or anyone I know) have worked for couldn't give less of a shit. And a place that wants to fire me badly enough to pull up IM conversations about hot boys and why my boss is being a nnoying today is a place that is not going to be pleasant to work for anyway--and I don't know about you, but if I have to spend most of my week here, I am going to expect a certain level of misery unacceptable.
posted by dame at 6:40 AM on April 24, 2007

find a certain level of misery
posted by dame at 6:41 AM on April 24, 2007

Seconding flabdablet. Use https://mail.google.com and be done with it.
posted by Mr. Gunn at 6:53 AM on April 24, 2007

I used to do IT work at a company that did monitoring. Reasonable Internet use was not a problem; everybody shops online, IMs, etc. They were really looking for people with too much use, i.e., not doing work, or going to chat sites or message boards and posting confidential financial information. Keep in mind that some IT person will know where you go on the web & for how long, what's in your email, and what you type on IM or unencrypted sites.

Talk to your boss, explain that you understand why a company would need to monitor, and you would like clarification re: IMing family and doing some surfing. If you are doing good work, no one will care that you visit MeFi in breaks.
posted by theora55 at 7:22 AM on April 24, 2007

I worked at a small company in the early days of the internet and they had every email my director ever wrote. They used it when they fired him. Similarly, I've worked at very, very large companies, and needless to say, they track everything. They were looking for an excuse to fire one employee and looked up what sites she browsed and for how long. It's used as an excuse for firings in a day and age where that's not even necessary anymore to can someone.

But I wouldn't worry about it. I seriously doubt they monitor your emails / IMs, etc. in terms of watching you. I think it's very rare that someone goes through this stuff. If the company is super protective they generally nanny-net you and then set up a security system that let's you do nothing. If that's not in place, I really wouldn't worry about it.
posted by xammerboy at 8:08 AM on April 24, 2007

boot your workstation off an Ubuntu live CD

This will not work if your Internet access is granted based on your Windows domain login or machine name. As it is in some companies to prevent unauthorized machines from being connected to the network.
posted by kindall at 8:59 AM on April 24, 2007

I work for a defense contractor. Much of what I do is logged, but, as many others have said, not actively monitored. The IT folk have more important things to do (keep the upstream to the home office up, block viruses & chain letters, &c.). We also have a transparent proxy handling all traffic back through the home office a timezone away, and blocking sites left and right. I'm highly amused when tech sites I go to are labeled as "GPORN" or "GSTREAM" or "MILITARY". The last category is most hilarious — we make things for the freakin' military, silly! YouTube has been blocked and unblocked, as has IMDB. I ssh into one server to follow my LJ friends list so I don't get photos I don't want coming up on my work computer.

They don't care so long as the sensitive stuff stays on this side of the internet.
posted by Xoder at 10:44 AM on April 24, 2007

This will not work if your Internet access is granted based on your Windows domain login or machine name

If you really need to authenticate against Active Directory before you get the ability to make an outgoing connection (this is rare) then you can do that on Ubuntu using Samba, or by running a suitably configured instance of Windows inside VMWare Player; you'd need your existing Windows machine name, machine SID and your usual Windows logon credentials.

Of course, even then the company could stop you connecting to a sympathetic outside box by using a suitable blacklist (or even a whitelist) in its Internet gateway - or they could shut down your network connection if they didn't see a regular "phone home" from whatever monitoring software they've wedged into Windows.

They can also use BIOS passwords to stop you telling your workstation to boot from anything except its own hard drive, if they want; of course, you can reset those if you have physical access to the machine's innards but this is probably going to be over the acceptable-behaviour line if they've set things up this way. It's all an arms race, and yes, they will generally have more arms available than you do.

But the vast majority of companies that do this kind of monitoring are not terribly serious about it; most of the remote-screen stuff will be there more for administrative and support reasons than for active spying, and if that's really all you want to turn off, running a workstation OS that you control instead of Them (e.g. Ubuntu) will do the job quite successfully.

I would personally never work for a company that stopped me being able to do this.
posted by flabdablet at 6:27 PM on April 25, 2007

me: Sysadmins are typically very honest people with high moral standards & probably wouldn't snoop on you just for the fun of it...

Thorzdad: That doesn't dovetail with the habits of the sysadmins I've ever known/worked with.

Well, it takes all kinds to make the world, and I have certainly heard of sysadmins who behave as you describe. The scrupulously honest sysadmin who respects privacy was actually a slightly surprising result in an industry report that I read sometime back - an analysis of character types in various IT roles. I think the invasive cowboy type might be more likely in a small company, where one guy basically rules the roost, with the more decent types in larger companies, where they know that they themselves may be scrutinised.
posted by UbuRoivas at 6:38 PM on April 25, 2007

« Older Software for role playing online?   |   Where all the Design Students at? Newer »
This thread is closed to new comments.