RE: Internet E-mail monitoring/approval
From: ONEILL David J (David.J.Oneill@state.or.us)
Date: 04/15/03
- Previous message: Jeff D: "Re: TripWire like product"
- Maybe in reply to: Ted Frederick: "Internet E-mail monitoring/approval"
- Next in thread: Jay D. Dyson: "RE: Internet E-mail monitoring/approval"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 15 Apr 2003 12:16:02 -0700 From: ONEILL David J <David.J.Oneill@state.or.us> To: dave@netmedic.net (IPM Return requested) (Receipt notification requested), jgormlyjr@yahoo.com (IPM Return requested) (Receipt notification requested), security-basics@securityfocus.com (IPM Return requested) (Receipt notification requested), SRobinson@HIPUSA.com (IPM Return requested) (Receipt notification requested)
At our organization we had a recent "Witch Hunt" where a HR employee started
scanning email backups looking for words that held, in her mind, religious
connotations. One employee was targeted in particular (I believe it was
because of her insistence on maintaining her religious rights in the
workplace.) This also happened during a time of layoffs, and the mined
information was used as ammunition to release her of her position. Litigation
may be forthcoming.
I would just like to applaud people like Sonja, it takes a lot of guts to say
no to manager who are abusing their authority.
Just another note: When companies say that the desktop belongs to us, so we
should be able to search it at anytime we like ... for any reason we like ...
This is like saying that I own the apartment complex you live in so I should
be able to ransack it at my leisure. People's workplace should have the same
privacy expectation as their homes, regardless of who owns it.
David J. O'Neill
NEDSS - IS7
Parkway Bldg., 2nd Floor
Phone: (503) 378-2101 ext. 364
FAX: (503) 378-2102
>>> SRobinson@HIPUSA.com 04/15/03 11:54AM >>>
** This is not meant to be a rant just trying to bring up issues that you
will encounter.**
Just because it is called an investigaton doesn't mean LEO is necessarily
involved.
[snip]You can do many things that may not be admissible in court as evidence
in a criminal case.[snip]
Doesn't matter, criminal and civil courts. By "SCOPE" you have to define
what you are looking for when you focus on a particular person. For
example, my proxy logs are telling me that John Smith is visiting P_O_R_N
sites. I can review his machine for pictures and other similar items (i.e.
the investigation scope) but this doesn't necessarily give me the right to
read his e-mail or to look at all the documents on his machine for other
things he "might have" done. Just because you are not LEO does not mean you
can break the law or violate any privacy rights.
Let's say that you fire an employee because he violated company policy, say
they visited P_O_R_N sites (for those who made bounce comments yesterday).
It's not illegal for him to do but it violated your policy. Don't you think
that your evidence needs to stand up in a civil court when that guy sues you
for wrongful termination? How do you prove that stuff was from his machine,
that he downloaded/viewed it? What if it was just a rogue program that
opened up a hundred of these sites on his machine and he didn't actively do
it? What if a note goes in his personnel file and he is sanctioned (passed
over for raise or promotion). Did you save the files or did you save the
whole drive? How? How do you know it wasn't someone else on his machine?
Did you document the findings? Who performed the analysis? Was a hash done
of the drive or files? How do you know the access dates are correct? How
do you know your logs weren't altered? Is your evidence tainted? No? Prove
it! Any good attorney would tear you to bits in court. Plus he'd bring in
a forensic expert who would analyze the data himself and blow some major
holes in your case just by proving that you can't prove that the data is
original and correct. With juries these days, I'm not taking any chances of
costing my company $1Million because I didn't do it right.
What if you were looking for one thing (i.e. P_O_R_N) and found that the guy
was leaking trade secrets instead? Now you need to change your scope. I'm
not saying you need subpoenas, I'm saying you consult your corp attorney and
HR, let them know the deal and document the scope change. If you go on a
fishing expedition, you can be held liable.
As long as you are not acting as an agent for LEO you have a much wider
lattitude for your investigatons. Once you bring in LEO you are considered
their agent and must act accordingly. This is why I do most investigations
prior to bringing them in. For example, where they may be required to get a
subpoena for information, I am not. However, this doesn't mean that I can
just do surveillance without just cause. Nor would I want to. I do believe
that there is some expectation to privacy (like my locked desk). I also
believe that if there is cause I will investigate. But I follow certain
WRITTEN & APPROVED procedures and policies to do so to protect me, my
company and whoever is being investigated.
You don't want to get into a witch hunt either. There are times when I
won't perform an investigation and I have refused to become involved, i.e.
manager wants to fire someon because they don't like them so they want to
look at the entire hard drive to see if they can find cause. Or someone is
on vacation and their boss wants to snoop.
Another reason for defining scope- besides covering your rear and staying
within legal parameters - massive amounts of data on huge hard drives.
Looking at every bit in an 80GB will take you years. If you know what you
are looking for, then you can eliminate things you don't need and narrow
down your search to the correct machine, logs, documents, etc.
"Just because I CAN do something, doesn't mean I SHOULD."
Sonja Robinson, CISA
Network Security Analyst
HIP Health Plans
Office: 212-806-4125
Pager: 8884238615
-----Original Message-----
From: dave [mailto:dave@netmedic.net]
Sent: Monday, April 14, 2003 10:13 PM
To: Robinson, Sonja; 'John Gormly'; 'security basics'
Subject: RE: Internet E-mail monitoring/approval
Sonja,
I believe what you were saying is true, if you were a Law Enforcement
Officer performing an Investigation. What "SCOPE" do you have to define??
You can do many things that may not be admissible in court as evidence in a
criminal case.
Dave
_____________________
Dave Kleiman
dave@netmedic.net
www.netmedic.net
-----Original Message-----
From: Robinson, Sonja [mailto:SRobinson@HIPUSA.com]
Sent: Monday, April 14, 2003 10:20
To: 'John Gormly'; 'security basics'
Subject: RE: Internet E-mail monitoring/approval
Each of you is right to an extent.
Yes, there are some privacy issues with e-mail. This is touchy area. Bt
yes you can monitor it. Yes, you SHOULD (MUST) have privacy (or lack
thereof) policies, monitoring policies and investigation policies.
Would I allow the manager to read all of the e-mail? Absolutely not! You
can set yourself up for a lawsuit because you are performing an
investigation that has NO DEFINED SCOPE and is being performed by a person
who is not properly trained or qualified to do so. Not to mention
monitoring and investigations should be done by someone objective. A
manager is not. You can not just arbitrarily focus on one person without
just cause. Let me explain this.
I can monitor ALL users for web surfing and when a flag goes up for
unauthorized sites, I can take action. But I was not focused on ONE user
the entire time. Something caught my eye. I can have all e-mail go through
a filter and if it picks up something I can investigate that. I can't just
read Jane Doe's e-mail all day just because I can. Now, let's say the
previously mentioned triggers or a very good suspicion about employee
activity is the case (as in this case it most likely is). Well, now you go
into investigation mode. This includes notifying your legal and hr dept
that you are doing an investigation and you help them edfine the scope
(especially legal). What items are being leaked? To Whom? Why do you think
so? Based on these as well as other questions, you define your scope and
perform the investigation. The investigator should (ideally) be a trained
and properly qualified forensic expert. Why forensics, so that the
investigation will be performed following applicable laws and that
everything collected is OBJECTIVE and can be presented in court if it goes
to that. In addition, a manager might not save e-mails properly (among
other things), may accidentally accuse without having properly conducting
the investigation and interpreting results. This could damage an employee's
reputation and then you have a lawsuit there when they quit due to hostile
environment (seen it happen). IF you fire an employee based on things in
e-mail you just might find yourself in a lawsuit (especially if its not what
you were looking for originally). IF you go outside of the scope of the
investigation without redefining scope with legal approval then you're in
some potential trouble. Don't get me wrong, I investigate e-mail and
Internet logs all the time. I just do it legally and with the proper
approvals, scope etc. I watch out for everyone's rights, employee and
employer.
Sonja Robinson, CISA
Network Security Analyst
HIP Health Plans
Office: 212-806-4125
Pager: 8884238615
-----Original Message-----
From: John Gormly [mailto:jgormlyjr@yahoo.com]
Sent: Saturday, April 12, 2003 8:05 AM
To: 'security basics'
Subject: RE: Internet E-mail monitoring/approval
I would agree. Also check with Human Resources of the company. Our
employees sign an agreement before being issued a computer stating that the
computer is the property of the company and is for company use only. All
activity (internet browsing, email access, etc., ) while using company
equipment is subject to monitoring. We've never had a problem monitoring
email or internet access when we've needed to.
-----Original Message-----
From: Ben Schorr [mailto:bms@hawaiilawyer.com]
Sent: Thursday, April 10, 2003 7:55 PM
To: security basics
> My 2 cents ...
> 1. The basics of Law, Ethics and Investigation says, Never do anything
> that is unknown to user. Monitoring email activity without user
> knowledge is illegal and your company can be sued for billions of
> dollars.
Actually that's not necessarily true. It depends largely upon what your
employee handbook and privacy agreements say. If they explicitly state that
the e-mail system is company property and may be subject to monitoring
then...it might not be illegal. It's assumed, in many cases, that if the
employee has been notified that their e-mail is company property and may be
monitored that any monitoring that may occur, even months later, is not
without their knowledge.
Best for Ted to consult with an attorney licensed to practice employment law
in his state. Assuming he's in the USA.
-Ben-
Ben M. Schorr, MVP-Outlook, CNA, MCPx3
Director of Information Services
Damon Key Leong Kupchak Hastert
http://www.hawaiilawyer.com
-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection. http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free
technical support. Stop SPAM before it stops you.
-------------------------------------------------------------------
-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection. http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free
technical support. Stop SPAM before it stops you.
-------------------------------------------------------------------
**********************************************************************
This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended
only for the individual(s) named herein or others specifically authorized to
receive the communication. If you are not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this
communication in error, please notify the sender of the error immediately,
do not read or use the communication in any manner, destroy all copies, and
delete it from your system if the communication was sent via email.
**********************************************************************
-------------------------------------------------------------------
Is SPAM over-loading your e-mail server, disk space or bandwidth?
SurfControl E-Mail Filter is flexible, intelligent and policy-driven
protection. http://www.securityfocus.com/SurfControl-security-basics2
Download your free fully functional trial, complete with 30-days of free
technical support. Stop SPAM before it stops you.
-------------------------------------------------------------------
-------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. www.blackhat.com
-------------------------------------------------------------------
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-security-basics
----------------------------------------------------------------------------
- Previous message: Jeff D: "Re: TripWire like product"
- Maybe in reply to: Ted Frederick: "Internet E-mail monitoring/approval"
- Next in thread: Jay D. Dyson: "RE: Internet E-mail monitoring/approval"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
