Privacy on Business and other email systems

Some recent conversations I have had brought to my attention the need to clarify for my friends and neighbors the situation regarding privacy when using various email systems.

The short version: Do not send anything personal or sensitive in nature to anyone at their employer’s email system. Likewise do not use your own work account to send or receive anything of personal or sensitive nature.

The fact of the matter is that a person generally does not have any privacy rights on the corporate email system. Even the minority opinion that suggests there are some rights suffers the point that it could be cumbersome, expensive, impossible to enforce such.

There is an increasing trend in many businesses to establish policies which greatly restrict people’s freedom when using company-owned machines – or even your own equipment (e.g.) on their network.

Of course, corporate email practices may vary widely. In some cases the policy is on the books for “CYA” purposes, so if you are caught selling child porn the business has a clear right to action. But in other cases there may be snooping up to the point that any normal person would consider creepy. You might have:

  • automated scanning of message content for key words — e.g. your shopping or investigation of medical issues, even things like “union” and “civil rights” (It’s not just prurience they seek!) … AND this scanning can go beyond email to sniffing the very packets of information that show where you browse, your passwords, etc.
  • a supervisor that can log in to your account and see everything that you can see
  • a nosy IT person who delights in finding people’s secrets (beyond the necessary function of administering the network, etc., where ethical IT folks deliberately turn a blind eye to specific content)

Some recommendations for email:

  1. Don’t send anything to or from a corporate account that you wouldn’t like on the supervisor’s desk – or posted on Facebook
  2. If you need to use email at work for anything of sensitive nature, use your own account. This might be a webmail account, or an email client application on your own device. You might want to make sure that you connect in a secure manner – e.g SSL/TLS settings for your application, or the same so you have the “padlock” in your browser. (GMail now prefers https by default). These measures can encrypt content between your device and the server or site to which you connect. Generally that makes your communication secure unless someone has physical access to your device.
  3. If you’re really paranoid, use encryption: GPG or similar. For this you likely need to be using a client program/app.

Plus, if you don’t store large amounts of data in your corporate account, you’ll make it easier for the poor IT person who has to archive all that stuff to comply with regulations for accountablity, etc.

An alternative while in the workplace is to use a webmail service such as GMail, but caveat: “Reading someone’s Gmail doesn’t violate federal statute, court finds